On Wed, Oct 28, 2020 at 06:19:10PM +0100, Bastian Blank wrote:
> > Barring interference from SELinux or AppArmour, ... this should not
> > happen unless file permissions change.
>
> Maybe this was true ten years ago, but it is not longer. The OP even
> mentioned something called "no new privileges", which is described only
> one tiny internet search away at
> https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html.
The "..." after "SELinux or AppArmour" is inclusive of other controls
that modify expected POSIX semantics.
Indeed a process with "no_new_privs" will not be able to run sendmail(1)
to submit new email.
> It seems that you have to learn a lot about the security controls that
> a modern Linux provides.
A less patronising tone would be welcome...
--
Viktor.
