summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMartin Pitt <martin.pitt@ubuntu.com>2016-10-28 15:35:29 +0200
committerGitHub <noreply@github.com>2016-10-28 15:35:29 +0200
commit1740c5a807708e74a7270bfb23beac2039135859 (patch)
treec5f1bcbeafad8613c4ba68de3d0f8fd1f2467e12
parent4f985bd80278972912b80df1390f84d7a89f8d51 (diff)
parent74388c2d11acd9b638e33e09c7a99a9bc2c6292b (diff)
Merge pull request #4458 from keszybz/man-nonewprivileges
Document NoNewPrivileges default value
-rw-r--r--man/systemd.exec.xml23
-rw-r--r--src/core/load-fragment.c7
2 files changed, 17 insertions, 13 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index dbe4594730..6a26f3c133 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1234,13 +1234,22 @@
<varlistentry>
<term><varname>NoNewPrivileges=</varname></term>
- <listitem><para>Takes a boolean argument. If true, ensures
- that the service process and all its children can never gain
- new privileges. This option is more powerful than the
- respective secure bits flags (see above), as it also prohibits
- UID changes of any kind. This is the simplest, most effective
- way to ensure that a process and its children can never
- elevate privileges again.</para></listitem>
+ <listitem><para>Takes a boolean argument. If true, ensures that the service
+ process and all its children can never gain new privileges. This option is more
+ powerful than the respective secure bits flags (see above), as it also prohibits
+ UID changes of any kind. This is the simplest and most effective way to ensure that
+ a process and its children can never elevate privileges again. Defaults to false,
+ but in the user manager instance certain settings force
+ <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting.
+ Those is the case when <varname>SystemCallFilter=</varname>,
+ <varname>SystemCallArchitectures=</varname>,
+ <varname>RestrictAddressFamilies=</varname>,
+ <varname>PrivateDevices=</varname>,
+ <varname>ProtectKernelTunables=</varname>,
+ <varname>ProtectKernelModules=</varname>,
+ <varname>MemoryDenyWriteExecute=</varname>, or
+ <varname>RestrictRealtime=</varname> are specified.
+ </para></listitem>
</varlistentry>
<varlistentry>
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 118b39c1cf..cbc826809e 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -2744,11 +2744,6 @@ int config_parse_syscall_filter(
return r;
}
- /* Turn on NNP, but only if it wasn't configured explicitly
- * before, and only if we are in user mode. */
- if (!c->no_new_privileges_set && MANAGER_IS_USER(u->manager))
- c->no_new_privileges = true;
-
return 0;
}
@@ -3837,7 +3832,7 @@ int config_parse_no_new_privileges(
return 0;
}
- c->no_new_privileges = !!k;
+ c->no_new_privileges = k;
c->no_new_privileges_set = true;
return 0;