Re: Proposal: ReadOnlyDirectories /etc and /usr for network-services

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Am 25.07.2013 17:57, schrieb drago01:
>> in theory yes
>>
>> practically a exploit is not that easy like fire
>> a bundle of commands as root like a script
>>
>>> So we're talking about limited circumstances where
>>> the attacker can modify files and not execute code, or where the
>>> attacker is root but not CAP_SYS_ADMIN (or whatever it is)
>>
>> a httpd running with SElinux disabled or in permissive mode with
> 
> Here is your problem ... How about running it in enforcing mode? I mean you care ab out security and disable
> security features at the same time. If there are selinux bugs file and/or fix them

if you are able to marry pure-ftpd, samba and 250 cms-installations predictable
on a machine running also *self developed* managment-software for a complete
infrastructure on 20 Fedora servers with SElinux go ahead :-)

been there done that and it makes thiings so secure that they are completly
unuseable because you are searching all day long for problems acess denied
here and there

however, if nobody is interested in my proposal i am fine since i do not
use the fedora packages for critial services and the own infrastructure
is using systemd-units how we want, need and can predictable support them


Attachment: signature.asc
Description: OpenPGP digital signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux