diff options
| author | Martin Pitt <martin.pitt@ubuntu.com> | 2016-10-28 15:35:29 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-10-28 15:35:29 +0200 |
| commit | 1740c5a807708e74a7270bfb23beac2039135859 (patch) | |
| tree | c5f1bcbeafad8613c4ba68de3d0f8fd1f2467e12 | |
| parent | 4f985bd80278972912b80df1390f84d7a89f8d51 (diff) | |
| parent | 74388c2d11acd9b638e33e09c7a99a9bc2c6292b (diff) | |
Merge pull request #4458 from keszybz/man-nonewprivileges
Document NoNewPrivileges default value
| -rw-r--r-- | man/systemd.exec.xml | 23 | ||||
| -rw-r--r-- | src/core/load-fragment.c | 7 |
2 files changed, 17 insertions, 13 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index dbe4594730..6a26f3c133 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1234,13 +1234,22 @@ <varlistentry> <term><varname>NoNewPrivileges=</varname></term> - <listitem><para>Takes a boolean argument. If true, ensures - that the service process and all its children can never gain - new privileges. This option is more powerful than the - respective secure bits flags (see above), as it also prohibits - UID changes of any kind. This is the simplest, most effective - way to ensure that a process and its children can never - elevate privileges again.</para></listitem> + <listitem><para>Takes a boolean argument. If true, ensures that the service + process and all its children can never gain new privileges. This option is more + powerful than the respective secure bits flags (see above), as it also prohibits + UID changes of any kind. This is the simplest and most effective way to ensure that + a process and its children can never elevate privileges again. Defaults to false, + but in the user manager instance certain settings force + <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting. + Those is the case when <varname>SystemCallFilter=</varname>, + <varname>SystemCallArchitectures=</varname>, + <varname>RestrictAddressFamilies=</varname>, + <varname>PrivateDevices=</varname>, + <varname>ProtectKernelTunables=</varname>, + <varname>ProtectKernelModules=</varname>, + <varname>MemoryDenyWriteExecute=</varname>, or + <varname>RestrictRealtime=</varname> are specified. + </para></listitem> </varlistentry> <varlistentry> diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 118b39c1cf..cbc826809e 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -2744,11 +2744,6 @@ int config_parse_syscall_filter( return r; } - /* Turn on NNP, but only if it wasn't configured explicitly - * before, and only if we are in user mode. */ - if (!c->no_new_privileges_set && MANAGER_IS_USER(u->manager)) - c->no_new_privileges = true; - return 0; } @@ -3837,7 +3832,7 @@ int config_parse_no_new_privileges( return 0; } - c->no_new_privileges = !!k; + c->no_new_privileges = k; c->no_new_privileges_set = true; return 0; |