Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
hachyderm.io is one of the many independent Mastodon servers you can use to participate in the fediverse.
Hachyderm is a safe space, LGBTQIA+ and BLM, primarily comprised of tech industry professionals world wide. Note that many non-user account types have restrictions - please see our About page.

Administered by:

Server stats:

9.3K
active users

hachyderm.io: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Public
Lennart Poettering

This whole mess just makes me think we should try harder to kick suid/fcaps out of general purpose Linux distributions. The whole concept is fundamentally backwards, and one of the major weaknesses of traditional UNIX I am sure. The idea behind suid/fcaps of first granting the privileges, inheriting some major, uncontrolled part of the execution environment/resource context/security context and then expecting the binary to securely gate its misuse is just a major mistake: openwall.com/lists/oss-securit

www.openwall.comoss-security - CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so
Cassandrich

@pid_eins Make systemd set prctl PR_SET_NO_NEW_PRIVS in pid 1. 😈

Oct 04, 2023, 10:37 AM·Public·Web
0boosts·1favorite
Public
Lennart Poettering

@dalias We actually have an option for that in /etc/systemd/system.conf.

But I am not aware of any general purpose distro setting that.

And ideally we'd turn off the suid/fcaps logic already in kernel, i.e. compile the whole thing out.

ExploreLive feeds
About