-
Hrvoje Ribicic authored
The metadata daemon was previously running as root due to its need to open port 80 to provide information to instances. To allow the daemon to run in a more secure way, this patch adds a separate metadata user, and grants the metad executable the CAP_NET_BIND_SERVICE capability. As a result, the metadata daemon can use the port 80 without having to acquire the full set of root capabilities and drop it later. Signed-off-by: Hrvoje Ribicic <riba@google.com> Reviewed-by: Klaus Aehlig <aehlig@google.com>
46f6fb34