Hi has anybody considered to put the following as default in systemd-units of network services? cross-posting to users-list intented because i think it is a good idea to bring it to a broader userbase! ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr http://www.freedesktop.org/software/systemd/man/systemd.exec.html additionally having the RPM database to accessable for network-services is fine, set for all listed below and reduces the attack surface InaccessibleDirectories=/var/lib/rpm InaccessibleDirectories=/var/lib/yum __________________________________________________ this would greatly reduce the impact of a possible root-exploit and IMHO make installing a rootkit hard to impossible while it is a good compromise to read-only /usr on a own partition without make system-administration via SSH harder __________________________________________________ currently i am in prodcution with it for the following services most of them real production (customer-services) and a few on home-servers or even not available in the Fedora repos * asterisk * dbmail * dhcpd * dnsmasq * dovecot (running as IMAP/POP3 proxy and SASL) * hostapd * httpd * hylafax * iaxmodem * mailgraph * mpd * mpdscribble * mysqld * named * netatalk * ntpd * open-vm-tools * openvpn * postfix * prosody * pulseaudio (systemwide) * pure-ftpd * rsyslog * smbd * smokeping * unbound * vnstat * xinetd (TFTP) __________________________________________________ exeptiopns: * trafficserver it touchs /etc/trafficserver at startup "ReadOnlyDirectories=/usr" is fine * mediathomb refuses for whatever reason to start with read-only /etc "ReadOnlyDirectories=/usr" is fine
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
