Re: Proposal: ReadOnlyDirectories /etc and /usr for network-services

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Am 22.07.2013 16:53, schrieb Miloslav Trmač:
> On Mon, Jul 22, 2013 at 12:02 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
>> has anybody considered to put the following as default in systemd-units of
>> network services? cross-posting to  users-list intented because i think it
>> is a good idea to bring it to a broader userbase!
>>
>> ReadOnlyDirectories=/etc
>> ReadOnlyDirectories=/usr
> 
> I think it's generally known by now that I don't like namespaces as a
> security mechanism.  At best, this is duplicating SELinux policy with
> less transparency and worse tools.

in general it is better to have more than one safety-net
if it comes to security and there are environments where
you simply can not enforce SElinux because they become
unmaintainable (i have a few of them)

> (The network services shouldn't be running as root in the first place)

"privilege escalation" i say here

it is not much likely *but* a non-privileged process can break out
at this did happen more than once in the past and will happen
again, not every day but when it happens it's bad

however, i enforced this the last few days, for the webserver even much
more as for the other services and thought it maybe a good idea to share
the result

[Unit]
Description=Apache Webserver
After=network.service

[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/httpd
ExecStart=/usr/sbin/httpd $OPTIONS -D FOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
Restart=always
RestartSec=1
UMask=006
PrivateTmp=yes
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/proc
InaccessibleDirectories=/boot
InaccessibleDirectories=/home
InaccessibleDirectories=/root
InaccessibleDirectories=/var/lib/rpm
InaccessibleDirectories=/var/lib/yum
InaccessibleDirectories=/var/spool
InaccessibleDirectories=/usr/lib/dracut
InaccessibleDirectories=/usr/lib/firmware
InaccessibleDirectories=/usr/lib/modprobe.d
InaccessibleDirectories=/usr/lib/modules
InaccessibleDirectories=/usr/lib/modules-load.d
InaccessibleDirectories=/usr/lib/sysctl.d
InaccessibleDirectories=/usr/lib/tmpfiles.d
InaccessibleDirectories=/usr/lib/udev

[Install]
WantedBy=multi-user.target


Attachment: signature.asc
Description: OpenPGP digital signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux