On Mon, Aug 22, 2011 at 4:32 PM, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote:
Fascinating. Very fascinating. For the sake of argument, what would I have to do on a sysvinit-ish system (say F14) to get dbus on an equivalent private network?
-jef
In fact, systemd offers quite a number security features to secure your
services wich can be easily used to enhance local security. I'll
probably blog about this soonishly, but there's a lot of nice stuff in
there. For example, set "PrivateNetwork=yes" in a service file and the
service will be entirely cut off from the network, so that no network
interfaces are visible anymore. It will only have access to a private,
isolated instance of the loopback device. This is something we should
set for a number of services which never should get network access, like
upower, dbus, or colord. Another really simple option like this is
"PrivateTmp=yes" which gives the service a private, isolated /tmp
directory, so that it won't see and cannot access other processes'
files. Stuff like this is really easy to use, and brings immediate
security benefits, since it locks services into flexible jails,
minimizing the attack surface and locking in exploiters.
Fascinating. Very fascinating. For the sake of argument, what would I have to do on a sysvinit-ish system (say F14) to get dbus on an equivalent private network?
-jef
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
