Default services enabled

[Jef Spaleta]

On Mon, Aug 22, 2011 at 4:32 PM, Lennart Poettering <mzerqung at 0pointer.de>wrote:

> In fact, systemd offers quite a number security features to secure your
> services wich can be easily used to enhance local security. I'll
> probably blog about this soonishly, but there's a lot of nice stuff in
> there. For example, set "PrivateNetwork=yes" in a service file and the
> service will be entirely cut off from the network, so that no network
> interfaces are visible anymore. It will only have access to a private,
> isolated instance of the loopback device. This is something we should
> set for a number of services which never should get network access, like
> upower, dbus, or colord. Another really simple option like this is
> "PrivateTmp=yes" which gives the service a private, isolated /tmp
> directory, so that it won't see and cannot access other processes'
> files. Stuff like this is really easy to use, and brings immediate
> security benefits, since it locks services into flexible jails,
> minimizing the attack surface and locking in exploiters.
>
>
Fascinating.  Very fascinating.  For the sake of argument, what would I have
to do on a sysvinit-ish system (say F14) to get dbus on an equivalent
private network?

-jef
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/devel/attachments/20110822/0d1a36b6/attachment.html