Am 25.07.2013 19:48, schrieb Lennart Poettering: > On Mon, 22.07.13 00:02, Reindl Harald (h.reindl@xxxxxxxxxxxxx) wrote: >> has anybody considered to put the following as default in systemd-units of >> network services? cross-posting to users-list intented because i think it >> is a good idea to bring it to a broader userbase! >> >> ReadOnlyDirectories=/etc >> ReadOnlyDirectories=/usr > > So, I could agree to this part. which is my proposal >> additionally having the RPM database to accessable for network-services >> is fine, set for all listed below and reduces the attack surface >> >> InaccessibleDirectories=/var/lib/rpm >> InaccessibleDirectories=/var/lib/yum > > This part gives me a headache though which was not part of my proposal but could be considered additionally for services which have never to deal with the rpm-database like httpd > "ReadOnlyDirectories=/etc /usr" simply encodes the semantics that we > generally assume that /etc and /usr have, in a single configuration option: > /etc and /usr are generally read-only during runtime, and only writable > when configured or new packages are installed. A setting like this > should pretty universally work for all services with very few > exceptions. This is why I like this. > > However, the rpm/yum lines come awfully close to a MAC solution which > labels all objects and assign access modes to them. It is also much less > universal as these files/dirs may rightfully be accessed by a number of > system services. see above > systemd should not be misunderstood as a reimplementation of SELinux or > AppArmor, hence finegrained labelling of specific files and dirs sounds > like nothing we should do. OTOH making /etc and /usr read-only just > means enforcing generally assumed semantics of these top-level > directories, and so I'd be happy to i do not mistunderstand it it comes *additionally* to it, could be a sane default and setps in when a) SElinux which is fine granted may fail for whatever reason or is not possible to enforce depending on the environment having a cheap and easy to maintain *additional* barrier is mostly a good idea and the biggest benefit of this systemd-features are that they only protect network-aware services this draws a nice line between having /usr on a own read-only mounted partition with all the side-effects in administration and space-allocation in cloud environments while reach a compareable goal > So, yeah, if somebody wants to work on getting "ReadOnlyDirectories=/etc > /usr" into the packaging guidelines as proposed default for all system > services, I'd certainly support that, but since I have enough of > discussing and dealing with Fedora committees and discussion forums this > is something somebody else has to champion or won't happen i understand this well, the for me interesting services have their units in /etc/systemd/system/ or a from the internal repos where i build *most* for our infrastructure from source (anything related to web-and mai-services) if someone takes this global or maintainers of specific services agree and include it for their packages like httpd which is the most attacked and sensible one by the fact that PHP and whatever languages expose exec(), system()... is a different thing and has no impact in my decision use it for all servers i am responsible for since some days and i am *really thankful* to have this option
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
