From: Djalal Harouni Date: Mon, 14 Nov 2016 09:02:00 +0000 (+0100) Subject: doc: note when no new privileges is implied X-Git-Tag: v234~819^2~5 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a7db8614f390615c3dea8d73adf9a6a2cff88c07;p=platform%2Fupstream%2Fsystemd.git doc: note when no new privileges is implied --- diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 3b39a9c..669b726 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -999,7 +999,11 @@ using mmap2 of /dev/zero instead of using MAP_ANON. This setting is implied if DynamicUser= is set. For this setting the same restrictions regarding mount propagation and - privileges apply as for ReadOnlyPaths= and related calls, see above. + privileges apply as for ReadOnlyPaths= and related calls, see above. + If turned on and if running in user mode, or in system mode, but without the CAP_SYS_ADMIN + capability (e.g. setting User=), NoNewPrivileges=yes + is implied. + @@ -1090,9 +1094,11 @@ mechanism. Almost no services need to write to these at runtime; it is hence recommended to turn this on for most services. For this setting the same restrictions regarding mount propagation and privileges apply as for ReadOnlyPaths= and related calls, see above. Defaults to off. - Note that this option does not prevent kernel tuning through IPC interfaces and external programs. However - InaccessiblePaths= can be used to make some IPC file system objects - inaccessible. + If turned on and if running in user mode, or in system mode, but without the CAP_SYS_ADMIN + capability (e.g. setting User=), NoNewPrivileges=yes + is implied. Note that this option does not prevent kernel tuning through IPC interfaces + and external programs. However InaccessiblePaths= can be used to + make some IPC file system objects inaccessible. @@ -1237,7 +1243,7 @@ Takes a boolean argument. If true, ensures that the service process and all its children can never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that a process and its children can never - elevate privileges again. Defaults to false, but in the user manager instance certain settings force + elevate privileges again. Defaults to false, but certain settings force NoNewPrivileges=yes, ignoring the value of this setting. This is the case when SystemCallFilter=, SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=, @@ -1482,7 +1488,11 @@ setns2 system calls, taking the specified flags parameters into account. Note that — if this option is used — in addition to restricting creation and switching of the specified types of namespaces (or all of them, if true) access to the - setns() system call with a zero flags parameter is prohibited. + setns() system call with a zero flags parameter is prohibited. + If running in user mode, or in system mode, but without the CAP_SYS_ADMIN + capability (e.g. setting User=), NoNewPrivileges=yes + is implied. + @@ -1502,7 +1512,11 @@ both privileged and unprivileged. To disable module auto-load feature please see sysctl.d5 kernel.modules_disabled mechanism and - /proc/sys/kernel/modules_disabled documentation. + /proc/sys/kernel/modules_disabled documentation. + If turned on and if running in user mode, or in system mode, but without the CAP_SYS_ADMIN + capability (e.g. setting User=), NoNewPrivileges=yes + is implied. + @@ -1563,6 +1577,9 @@ that generate program code dynamically at runtime, such as JIT execution engines, or programs compiled making use of the code "trampoline" feature of various C compilers. This option improves service security, as it makes harder for software exploits to change running code dynamically. + If running in user mode, or in system mode, but without the CAP_SYS_ADMIN + capability (e.g. setting User=), NoNewPrivileges=yes + is implied. @@ -1573,7 +1590,10 @@ the unit are refused. This restricts access to realtime task scheduling policies such as SCHED_FIFO, SCHED_RR or SCHED_DEADLINE. See sched7 for details about - these scheduling policies. Realtime scheduling policies may be used to monopolize CPU time for longer periods + these scheduling policies. If running in user mode, or in system mode, but + without the CAP_SYS_ADMIN capability + (e.g. setting User=), NoNewPrivileges=yes + is implied. Realtime scheduling policies may be used to monopolize CPU time for longer periods of time, and may hence be used to lock up or otherwise trigger Denial-of-Service situations on the system. It is hence recommended to restrict access to realtime scheduling to the few programs that actually require them. Defaults to off.