Hans de Goede wrote:
Konstantin Ryabitsev wrote:
Hi, all:
Do we have a policy about network-listening daemons not running as
root? Not according to my perusal of fedoraproject.org, but I wanted
to verify in case it's one of the "unwritten rules."
This clearly falls under the unwritten use your common sense rule. IOW
no daemon / service should run as root unless it absolutely must, and
when not running as root it should have its own user, not use a system
user shared with other daemons.
Regards,
If it runs as root, it should drop capabilities that it does not need,
and it should have an SELinux policy to confine it. Of course if it
runs as non-root, it should have an SELinux policy to confine it.
These are shoulds not musts.
Hans
--
Fedora-maintainers mailing list
Fedora-maintainers@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers
--
Fedora-maintainers mailing list
Fedora-maintainers@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers
--
Fedora-maintainers-readonly mailing list
Fedora-maintainers-readonly@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
