On Jul 21, 2015 4:18 AM, "Florian Weimer" <fwei...@redhat.com> wrote: > > On 07/20/2015 07:30 PM, Andrew Lutomirski wrote: > > >> (b) Make a copy of the file, put it in a directory which only the > >> service user can read (or ship it with 750 permissions and the service > >> group controlling it), and set fscaps. The downside is the large binary > >> size (it has to be a copy, a link won't work). And the service user > >> could still run the service with command line options that allow > >> privilege escalation. > >> > > > > If you set inheritable fscaps but not permitted, this should be reasonably > > safe. > > Empirically, this causes the capability to end up in the P set, not the > E set, which means that the application still needs to be capability to > enable it. So it really doesn't help that much in the Go case, sadly. > Although it is fairly close.
Try 2: set the capability in the inheritable set and set the effective bit. (The effective fscap is a single bit, not a mask. You still program it with "=ei" because the syntax is wrong.) --Andy > > -- > Florian Weimer / Red Hat Product Security > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
