On 02/11/15 16:33, Lennart Poettering wrote: > On Wed, 11.02.15 18:32, Topi Miettinen ([email protected]) wrote: > >> No setuid programs are expected to be executed, so add >> SecureBits=noroot noroot-locked >> to unit files. > > Applied! Thanks! > > (I hope this is well tested!)
I think I should find some brown paper bags, it does not work (unlike no-setuid-fixup which I have been using for some time for most services), sorry. Looking at the code in kernel around SECURE_NOROOT use cases I suppose the bit does not only control setuid execution (which is by the way what the man page only talks about), but it also means that all capabilities are lost when *any* programs are executed (including the service that systemd is trying to launch), unless there are filesystem capability bits enabled to support this. With a bit more work, the needed filesystem capability bits could be enabled at install time for these programs. I don't know how well distro package tools handle this if at all. Please revert the patch for now. Sorry for the trouble. -Topi > > Lennart > _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
