Bug#756604: systemd: NoNewPrivileges allows UID changes, while the doc says it prohibits it
Ansgar Burchardt
ansgar at debian.org
Thu Jul 31 10:53:21 BST 2014
Hi,
On 07/31/2014 11:42, intrigeri at debian.org wrote:
> the attached unit file has NoNewPrivileges set to "yes", which,
> according to systemd.exec(5), "prohibits UID changes of any kind".
>
> However, the tor daemon it starts successfully manages to change its
> UID to debian-tor, as configured with "User debian-tor" in
> /usr/share/tor/tor-service-defaults-torrc:
[...]
> Did I misunderstand the documentation, or is the doc wrong, or is
> there a bug somewhere?
It works as intended, but the documentation might be a bit misleading.
NoNewPrivileges only affects the exec syscall which will no longer grant
any new privileges, including no longer switching uid for suid binaries.
It does *not* take away the CAP_SETUID or any other capabilities the
process already has.
See also man:prctl(2) and Documentation/prctl/no_new_privs.txt in the
Linux kernel documentation.
Ansgar
More information about the Pkg-systemd-maintainers
mailing list