Merge pull request #4458 from keszybz/man-nonewprivileges

Document NoNewPrivileges default value
2025-03-08 20:58:20 +03:00 · 2016-10-28 15:35:29 +02:00 · 2016-10-28 15:35:29 +02:00 · 1740c5a807
commit 1740c5a807
parent 4f985bd802 74388c2d11
2 changed files with 17 additions and 13 deletions
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@ -1234,13 +1234,22 @@
      <varlistentry>
        <term><varname>NoNewPrivileges=</varname></term>

-        <listitem><para>Takes a boolean argument. If true, ensures
-        that the service process and all its children can never gain
-        new privileges. This option is more powerful than the
-        respective secure bits flags (see above), as it also prohibits
-        UID changes of any kind. This is the simplest, most effective
-        way to ensure that a process and its children can never
-        elevate privileges again.</para></listitem>
+        <listitem><para>Takes a boolean argument. If true, ensures that the service
+        process and all its children can never gain new privileges. This option is more
+        powerful than the respective secure bits flags (see above), as it also prohibits
+        UID changes of any kind. This is the simplest and most effective way to ensure that
+        a process and its children can never elevate privileges again. Defaults to false,
+        but in the user manager instance certain settings force
+        <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting.
+        Those is the case when <varname>SystemCallFilter=</varname>,
+        <varname>SystemCallArchitectures=</varname>,
+        <varname>RestrictAddressFamilies=</varname>,
+        <varname>PrivateDevices=</varname>,
+        <varname>ProtectKernelTunables=</varname>,
+        <varname>ProtectKernelModules=</varname>,
+        <varname>MemoryDenyWriteExecute=</varname>, or
+        <varname>RestrictRealtime=</varname> are specified.
+        </para></listitem>
      </varlistentry>

      <varlistentry>
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@ -2744,11 +2744,6 @@ int config_parse_syscall_filter(
                        return r;
        }

-        /* Turn on NNP, but only if it wasn't configured explicitly
-         * before, and only if we are in user mode. */
-        if (!c->no_new_privileges_set && MANAGER_IS_USER(u->manager))
-                c->no_new_privileges = true;
-
        return 0;
 }

@ -3837,7 +3832,7 @@ int config_parse_no_new_privileges(
                return 0;
        }

-        c->no_new_privileges = !!k;
+        c->no_new_privileges = k;
        c->no_new_privileges_set = true;

        return 0;