Add CapabilityBoundingSet to systemd unit file #4960
Conversation
|
This looks fine and I wouldn't hesitate too long before putting it in 7.4(.1) again like this |
| @@ -32,6 +32,9 @@ NoNewPrivileges=true | |||
| # but no physical devices such as /dev/sda. | |||
| PrivateDevices=true | |||
|
|
|||
| # Required for dropping privileges for running as a different user and changin owner and root. | |||
There was a problem hiding this comment.
| # Required for dropping privileges for running as a different user and changin owner and root. | |
| # Required for dropping privileges for running as a different user and changing owner and root. |
|
Actually - CAP_KILL is also required for workers that run under a different user for |
|
I think at this point it's better to just not add this. |
|
@nikic I disagree, are you afraid there will be many more bug-reports caused by this more secure-by-default setup? Maybe documenting this in the Migrating-to-7.4 docs with possibly a link to How to find out what linux capabilities a process requires to work? is a better method of preventing that? |
|
This won't go to 7.4. It's just for master. |
|
@bukka What's the state here? |
|
I have got this on my list and will eventually pick it up. |
|
@bukka I can't find any explanation of why this broke apps in the first place, and wouldn't if it were added again. If this is still applicable can you ensure this is committed with a reasonably complete explanation of what went wrong in the first place and how we are doing things differently. If this is not applicable any longer or you otherwise don't intend to merge this ever, please close the PR. |
Re-introduced CapabilityBoundingSet that got removed in 7.4: 67cd427 as it was breaking apps. It looks that chroot has been also omitted and it needs to be verified again what is actually needed by FPM. As such this targets master only.
Any feedback for additional capabilities is welcome.