Proposal: ReadOnlyDirectories /etc and /usr for network-services

Reindl Harald h.reindl at thelounge.net
Mon Jul 22 14:45:42 UTC 2013 


Am 22.07.2013 16:37, schrieb Michael Scherer:
> Le lundi 22 juillet 2013 à 00:02 +0200, Reindl Harald a écrit :
>> has anybody considered to put the following as default in systemd-units of
>> network services? cross-posting to  users-list intented because i think it
>> is a good idea to bring it to a broader userbase!
>>
>> ReadOnlyDirectories=/etc
>> ReadOnlyDirectories=/usr
>>
>> http://www.freedesktop.org/software/systemd/man/systemd.exec.html
>>
>> additionally having the RPM database to accessable for network-services
>> is fine, set for all listed below and reduces the attack surface
>>
>> InaccessibleDirectories=/var/lib/rpm
>> InaccessibleDirectories=/var/lib/yum
>> __________________________________________________
>>
>> this would greatly reduce the impact of a possible root-exploit
>> and IMHO make installing a rootkit hard to impossible while
>> it is a good compromise to read-only /usr on a own partition
>> without make system-administration via SSH harder
> 
> I am not sure for /var/lib/rpm

no webserver, mailserver, rsyslog or whatever needs to access the RPM db
i would say for 99% of services it is pretty fine to disable access
maybe exceptions for managament software

> For /usr and /etc, you need to be root to modify them most of the time
> if I am not wrong, and so if you are root, can you set them as being rw
> again?)

AFAIK no or at least very difficult at all - systemd is the supervisor

> ( and anyway, even if root can change that, it may be sufficient to stop
> some automated worms, as I have already seen one that overwrite openssh
> binary, this would have been prevented)

*that's the idea behind*

>> exeptiopns:
>>
>> * trafficserver
>>   it touchs /etc/trafficserver at startup
>>   "ReadOnlyDirectories=/usr" is fine
> 
> Seems like a bug in the software. It would prevent to have it run from a
> livecd.

yes and no

if you have not enabled cluster-support it should not need
to touch it's config but it does including backups in
form of _1 files, most of them can set RO for the ats
user and it whines in the logs but is fine to start

but because the cluster-thing you can't make /etc read-only as default

>> * mediathomb
>>   refuses for whatever reason to start with read-only /etc
>>   "ReadOnlyDirectories=/usr" is fine
> 
> Same as above

that is for sure a bug

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130722/3d16400e/attachment.sig>

More information about the devel mailing list