Proposal: ReadOnlyDirectories /etc and /usr for network-services

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-------- Original-Nachricht --------
Betreff: Proposal: ReadOnlyDirectories /etc and /usr for network-services
Datum: Mon, 22 Jul 2013 00:02:02 +0200
Von: Reindl Harald <h.reindl@xxxxxxxxxxxxx>
An: Mailing-List fedora-devel <devel@xxxxxxxxxxxxxxxxxxxxxxx>

Hi

has anybody considered to put the following as default in systemd-units of
network services? cross-posting to  users-list intented because i think it
is a good idea to bring it to a broader userbase!

ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr

http://www.freedesktop.org/software/systemd/man/systemd.exec.html

additionally having the RPM database to accessable for network-services
is fine, set for all listed below and reduces the attack surface

InaccessibleDirectories=/var/lib/rpm
InaccessibleDirectories=/var/lib/yum
__________________________________________________

this would greatly reduce the impact of a possible root-exploit
and IMHO make installing a rootkit hard to impossible while
it is a good compromise to read-only /usr on a own partition
without make system-administration via SSH harder
__________________________________________________

currently i am in prodcution with it for the following services
most of them real production (customer-services) and a few on
home-servers or even not available in the Fedora repos

* asterisk
* dbmail
* dhcpd
* dnsmasq
* dovecot (running as IMAP/POP3 proxy and SASL)
* hostapd
* httpd
* hylafax
* iaxmodem
* mailgraph
* mpd
* mpdscribble
* mysqld
* named
* netatalk
* ntpd
* open-vm-tools
* openvpn
* postfix
* prosody
* pulseaudio (systemwide)
* pure-ftpd
* rsyslog
* smbd
* smokeping
* unbound
* vnstat
* xinetd (TFTP)
__________________________________________________

exeptiopns:

* trafficserver
  it touchs /etc/trafficserver at startup
  "ReadOnlyDirectories=/usr" is fine

* mediathomb
  refuses for whatever reason to start with read-only /etc
  "ReadOnlyDirectories=/usr" is fine

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux