Am 22.07.2013 16:53, schrieb Miloslav Trmač: > On Mon, Jul 22, 2013 at 12:02 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: >> has anybody considered to put the following as default in systemd-units of >> network services? cross-posting to users-list intented because i think it >> is a good idea to bring it to a broader userbase! >> >> ReadOnlyDirectories=/etc >> ReadOnlyDirectories=/usr > > I think it's generally known by now that I don't like namespaces as a > security mechanism. At best, this is duplicating SELinux policy with > less transparency and worse tools. in general it is better to have more than one safety-net if it comes to security and there are environments where you simply can not enforce SElinux because they become unmaintainable (i have a few of them) > (The network services shouldn't be running as root in the first place) "privilege escalation" i say here it is not much likely *but* a non-privileged process can break out at this did happen more than once in the past and will happen again, not every day but when it happens it's bad however, i enforced this the last few days, for the webserver even much more as for the other services and thought it maybe a good idea to share the result [Unit] Description=Apache Webserver After=network.service [Service] Type=simple EnvironmentFile=-/etc/sysconfig/httpd ExecStart=/usr/sbin/httpd $OPTIONS -D FOREGROUND ExecReload=/usr/sbin/httpd $OPTIONS -k graceful Restart=always RestartSec=1 UMask=006 PrivateTmp=yes CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr ReadOnlyDirectories=/proc InaccessibleDirectories=/boot InaccessibleDirectories=/home InaccessibleDirectories=/root InaccessibleDirectories=/var/lib/rpm InaccessibleDirectories=/var/lib/yum InaccessibleDirectories=/var/spool InaccessibleDirectories=/usr/lib/dracut InaccessibleDirectories=/usr/lib/firmware InaccessibleDirectories=/usr/lib/modprobe.d InaccessibleDirectories=/usr/lib/modules InaccessibleDirectories=/usr/lib/modules-load.d InaccessibleDirectories=/usr/lib/sysctl.d InaccessibleDirectories=/usr/lib/tmpfiles.d InaccessibleDirectories=/usr/lib/udev [Install] WantedBy=multi-user.target
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
