Re: CVE-2016-8655, systemd, and Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Dec 13, 2016 at 10:00:10AM -0500, Matthew Miller wrote:
> On Tue, Dec 13, 2016 at 12:14:44PM +0100, Lennart Poettering wrote:
> > Well, the security policies need to be adapted to the service in
> > question, hence a blanket switch to enable all of them for every
> > service is problematic. Let's say you block gettimeofday()
> > system-wide, but then run an NTP service: you just broke it...
> > 
> > I fear it's too late to turn on all sandboxing options by default for
> > regular services. If we would have had them back when we started we
> > of course would have made them opt-out rather than opt-in, but that's
> > too late now...
> 
> I'm not so sure it's too late, if we would publicize the change well
> enough in advance and have some proven packagers dedicated to finding
> any exceptions. It's a matter of how much priority we put on
> preventative security measures.

You have to take into account non-distro services that people have.
Globally disabling certain address families will result in silent and
hard to debug failures.

I don't there's any other way except to enable this one by one for
existing services.

> For a less-effort version, we could update
> https://fedoraproject.org/wiki/Packaging:Systemd and have an (internal)
> marketing campaign asking people to update their packages (as
> suggested, ideally upstream).
That would be great.

This can only be done bottom-up, because usually you need to know some
program very very well to know what policies can be applied to it
that will not break not just the default configuration, but any
reasonable configuration that people might be carrying.

Zbyszek
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux