Re: unsafe systemd setup in Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi

On Thu, Mar 3, 2022 at 9:51 AM Lennart Poettering wrote:

Yes, opt-out would be better than opt-in, but it would be a major
compat break, UNIX software doesn't expect to be sandboxed, so if you
sandbox everything out-of-the-box you'll be drowning in bugs, and the
failure modes are not overly nice, i.e. you'll mostly rely on
EPERM/EACCES hopefully being logged sanely by the relevant software.

ProtectHome= for example implies that a separate mount namespace is
allocated for each service. if you enable that for *all* services at
once, then this means all services will suddenly live in their own
mount namespaces, and the mount they establish will not propagate
elsewhere anymore. Thus you broke at least udisks, storaged, homed,
systemd-runtime-dir@.service and these kinds of things — because they
exist precisely to establish mounts in the system.

What I would suggest here is we make it easier to adopt the opt out model by explicitly setting services to opt out for things they can't handle, ie) if a core set of services we ship within Fedora itself needs some permissions including ProtectHome to false, push for upstream/distro to have those knobs to be false explicitly within the service so the permissions it needs are more clearly documented within the service itself and then if a hardened variant of a distro or a sysadmin wants to flip the model, they will have a considerably easier time with this.  Nagging is a good starting point but doesn't go far enough.  The adoption of these features is still very low.  We can do better.

Rahul
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux