Le lundi 22 juillet 2013 à 00:02 +0200, Reindl Harald a écrit : > Hi > > has anybody considered to put the following as default in systemd-units of > network services? cross-posting to users-list intented because i think it > is a good idea to bring it to a broader userbase! > > ReadOnlyDirectories=/etc > ReadOnlyDirectories=/usr > > http://www.freedesktop.org/software/systemd/man/systemd.exec.html > > additionally having the RPM database to accessable for network-services > is fine, set for all listed below and reduces the attack surface > > InaccessibleDirectories=/var/lib/rpm > InaccessibleDirectories=/var/lib/yum > __________________________________________________ > > this would greatly reduce the impact of a possible root-exploit > and IMHO make installing a rootkit hard to impossible while > it is a good compromise to read-only /usr on a own partition > without make system-administration via SSH harder I am not sure for /var/lib/rpm. For /usr and /etc, you need to be root to modify them most of the time if I am not wrong, and so if you are root, can you set them as being rw again ? ) ( and anyway, even if root can change that, it may be sufficient to stop some automated worms, as I have already seen one that overwrite openssh binary, this would have been prevented ) > exeptiopns: > > * trafficserver > it touchs /etc/trafficserver at startup > "ReadOnlyDirectories=/usr" is fine Seems like a bug in the software. It would prevent to have it run from a livecd. > * mediathomb > refuses for whatever reason to start with read-only /etc > "ReadOnlyDirectories=/usr" is fine Same as above. -- Michael Scherer -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
