Proposal: ReadOnlyDirectories /etc and /usr for network-services
Michael Scherer
misc at zarb.org
Mon Jul 22 14:37:39 UTC 2013
Le lundi 22 juillet 2013 à 00:02 +0200, Reindl Harald a écrit :
> Hi
>
> has anybody considered to put the following as default in systemd-units of
> network services? cross-posting to users-list intented because i think it
> is a good idea to bring it to a broader userbase!
>
> ReadOnlyDirectories=/etc
> ReadOnlyDirectories=/usr
>
> http://www.freedesktop.org/software/systemd/man/systemd.exec.html
>
> additionally having the RPM database to accessable for network-services
> is fine, set for all listed below and reduces the attack surface
>
> InaccessibleDirectories=/var/lib/rpm
> InaccessibleDirectories=/var/lib/yum
> __________________________________________________
>
> this would greatly reduce the impact of a possible root-exploit
> and IMHO make installing a rootkit hard to impossible while
> it is a good compromise to read-only /usr on a own partition
> without make system-administration via SSH harder
I am not sure for /var/lib/rpm.
For /usr and /etc, you need to be root to modify them most of the time
if I am not wrong, and so if you are root, can you set them as being rw
again ? )
( and anyway, even if root can change that, it may be sufficient to stop
some automated worms, as I have already seen one that overwrite openssh
binary, this would have been prevented )
> exeptiopns:
>
> * trafficserver
> it touchs /etc/trafficserver at startup
> "ReadOnlyDirectories=/usr" is fine
Seems like a bug in the software. It would prevent to have it run from a
livecd.
> * mediathomb
> refuses for whatever reason to start with read-only /etc
> "ReadOnlyDirectories=/usr" is fine
Same as above.
--
Michael Scherer
More information about the devel
mailing list