|
 |
b9a53a |
From 797ebaa8240aefc39de3d1713468b221c83ed3f5 Mon Sep 17 00:00:00 2001
|
|
|
b9a53a |
From: Lennart Poettering <lennart@poettering.net>
|
|
|
b9a53a |
Date: Wed, 20 Mar 2019 19:45:32 +0100
|
|
|
b9a53a |
Subject: [PATCH] man: document the new RestrictSUIDSGID= setting
|
|
|
b9a53a |
|
|
|
b9a53a |
(cherry picked from commit 7445db6eb70e8d5989f481d0c5a08ace7047ae5b)
|
|
|
b9a53a |
Related: #1687512
|
|
|
b9a53a |
---
|
|
|
b9a53a |
doc/TRANSIENT-SETTINGS.md | 1 +
|
|
|
b9a53a |
man/systemd.exec.xml | 41 +++++++++++++++++++++++++++------------
|
|
|
b9a53a |
2 files changed, 30 insertions(+), 12 deletions(-)
|
|
|
b9a53a |
|
|
|
b9a53a |
diff --git a/doc/TRANSIENT-SETTINGS.md b/doc/TRANSIENT-SETTINGS.md
|
|
|
b9a53a |
index 0ea444b133..c2b5c0dcce 100644
|
|
|
b9a53a |
--- a/doc/TRANSIENT-SETTINGS.md
|
|
|
b9a53a |
+++ b/doc/TRANSIENT-SETTINGS.md
|
|
|
b9a53a |
@@ -149,6 +149,7 @@ All execution-related settings are available for transient units.
|
|
|
b9a53a |
✓ MemoryDenyWriteExecute=
|
|
|
b9a53a |
✓ RestrictNamespaces=
|
|
|
b9a53a |
✓ RestrictRealtime=
|
|
|
b9a53a |
+✓ RestrictSUIDSGID=
|
|
|
b9a53a |
✓ RestrictAddressFamilies=
|
|
|
b9a53a |
✓ LockPersonality=
|
|
|
b9a53a |
✓ LimitCPU=
|
|
|
b9a53a |
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
|
|
|
b9a53a |
index 87fb8b34f4..45ed1864f8 100644
|
|
|
b9a53a |
--- a/man/systemd.exec.xml
|
|
|
b9a53a |
+++ b/man/systemd.exec.xml
|
|
|
b9a53a |
@@ -348,18 +348,19 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
|
|
b9a53a |
<varlistentry>
|
|
|
b9a53a |
<term><varname>NoNewPrivileges=</varname></term>
|
|
|
b9a53a |
|
|
|
b9a53a |
- <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its children can
|
|
|
b9a53a |
- never gain new privileges through <function>execve()</function> (e.g. via setuid or setgid bits, or filesystem
|
|
|
b9a53a |
- capabilities). This is the simplest and most effective way to ensure that a process and its children can never
|
|
|
b9a53a |
- elevate privileges again. Defaults to false, but certain settings override this and ignore the value of this
|
|
|
b9a53a |
- setting. This is the case when <varname>SystemCallFilter=</varname>,
|
|
|
b9a53a |
- <varname>SystemCallArchitectures=</varname>, <varname>RestrictAddressFamilies=</varname>,
|
|
|
b9a53a |
- <varname>RestrictNamespaces=</varname>, <varname>PrivateDevices=</varname>,
|
|
|
b9a53a |
- <varname>ProtectKernelTunables=</varname>, <varname>ProtectKernelModules=</varname>,
|
|
|
b9a53a |
- <varname>MemoryDenyWriteExecute=</varname>, <varname>RestrictRealtime=</varname>, or
|
|
|
b9a53a |
- <varname>LockPersonality=</varname> are specified. Note that even if this setting is overridden by them,
|
|
|
b9a53a |
- <command>systemctl show</command> shows the original value of this setting. Also see
|
|
|
b9a53a |
- <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New Privileges
|
|
|
b9a53a |
+ <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its
|
|
|
b9a53a |
+ children can never gain new privileges through <function>execve()</function> (e.g. via setuid or
|
|
|
b9a53a |
+ setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that
|
|
|
b9a53a |
+ a process and its children can never elevate privileges again. Defaults to false, but certain
|
|
|
b9a53a |
+ settings override this and ignore the value of this setting. This is the case when
|
|
|
b9a53a |
+ <varname>SystemCallFilter=</varname>, <varname>SystemCallArchitectures=</varname>,
|
|
|
b9a53a |
+ <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>,
|
|
|
b9a53a |
+ <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
|
|
|
b9a53a |
+ <varname>ProtectKernelModules=</varname>, <varname>MemoryDenyWriteExecute=</varname>,
|
|
|
b9a53a |
+ <varname>RestrictRealtime=</varname>, <varname>RestrictSUIDSGID=</varname> or
|
|
|
b9a53a |
+ <varname>LockPersonality=</varname> are specified. Note that even if this setting is overridden by
|
|
|
b9a53a |
+ them, <command>systemctl show</command> shows the original value of this setting. Also see
|
|
|
b9a53a |
+ url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New Privileges
|
|
|
b9a53a |
Flag</ulink>. </para></listitem>
|
|
|
b9a53a |
</varlistentry>
|
|
|
b9a53a |
|
|
|
b9a53a |
@@ -1274,6 +1275,22 @@ RestrictNamespaces=~cgroup net</programlisting>
|
|
|
b9a53a |
that actually require them. Defaults to off.</para></listitem>
|
|
|
b9a53a |
</varlistentry>
|
|
|
b9a53a |
|
|
|
b9a53a |
+ <varlistentry>
|
|
|
b9a53a |
+ <term><varname>RestrictSUIDSGID=</varname></term>
|
|
|
b9a53a |
+
|
|
|
b9a53a |
+ <listitem><para>Takes a boolean argument. If set, any attempts to set the set-user-ID (SUID) or
|
|
|
b9a53a |
+ set-group-ID (SGID) bits on files or directories will be denied (for details on these bits see
|
|
|
b9a53a |
+
|
|
|
b9a53a |
+ project='man-pages'><refentrytitle>inode</refentrytitle><manvolnum>7</manvolnum></citerefentry>). If
|
|
|
b9a53a |
+ running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
|
|
|
b9a53a |
+ capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is
|
|
|
b9a53a |
+ implied. As the SUID/SGID bits are mechanisms to elevate privileges, and allows users to acquire the
|
|
|
b9a53a |
+ identity of other users, it is recommended to restrict creation of SUID/SGID files to the few
|
|
|
b9a53a |
+ programs that actually require them. Note that this restricts marking of any type of file system
|
|
|
b9a53a |
+ object with these bits, including both regular files and directories (where the SGID is a different
|
|
|
b9a53a |
+ meaning than for files, see documentation). Defaults to off.</para></listitem>
|
|
|
b9a53a |
+ </varlistentry>
|
|
|
b9a53a |
+
|
|
|
b9a53a |
<varlistentry>
|
|
|
b9a53a |
<term><varname>RemoveIPC=</varname></term>
|
|
|
b9a53a |
|