systemd-journald.service not using ProtectSystem=strict?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

looking at the current security issues and  how it triggers the
troll-army i wonder why systemd-journald.service  is not restricted from
at least write to /usr and /root at least on Fedora 28 (that it's not
vulernable because of compiler hardening is just luck)

[root@testserver:~]$ cat
/etc/systemd/system/systemd-journald.service.d/security.conf
[Service]
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/run
ReadWritePaths=/var

[root@testserver:~]$ systemctl status systemd-journald.service
● systemd-journald.service - Journal Service
   Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service;
static; vendor preset: disabled)
  Drop-In: /etc/systemd/system/systemd-journald.service.d
           └─security.conf
   Active: active (running) since Thu 2019-01-10 19:00:30 CET; 42s ago
     Docs: man:systemd-journald.service(8)
           man:journald.conf(5)
 Main PID: 398 (systemd-journal)
   Status: "Processing requests..."
    Tasks: 1 (limit: 512)
   Memory: 4.7M
   CGroup: /system.slice/systemd-journald.service
           └─398 /usr/lib/systemd/systemd-journald

Jan 10 19:00:30 testserver.rhsoft.net systemd-journald[398]: Journal started
Jan 10 19:00:30 testserver.rhsoft.net systemd-journald[398]: Runtime
journal (/run/log/journal/b3591cfc6c4e65ea231a7d08489dc40f) is 2.5M, max
10.0M, 7.5M free.
Jan 10 19:00:30 testserver.rhsoft.net systemd-journald[398]: Runtime
journal (/run/log/journal/b3591cfc6c4e65ea231a7d08489dc40f) is 2.5M, max
10.0M, 7.5M free.
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux