[MDEV-35415] systemd CAP_DAC_OVERRIDE possibly overkill - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 11.4.3
Fix Version/s: None
Component/s: Authentication and Privilege System
Labels:
None
Environment:
el9

Description

systemd unit claims:

# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0

#   does nothing for non-root, not needed if /etc/shadow is u+r

It may be possible to reduce this to CAP_DAC_READ_SEARCH without breaking anything else, to prevent `SELECT INTO OUTFILE` from creating files in unexpected locations (those not prevented by ProtectSystem)

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: MG

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 1 week ago 03:07

Updated:: 1 week ago 03:07

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.