Proposal: ReadOnlyDirectories /etc and /usr for network-services
Reindl Harald
h.reindl at thelounge.net
Mon Jul 22 14:45:42 UTC 2013
Am 22.07.2013 16:37, schrieb Michael Scherer:
> Le lundi 22 juillet 2013 à 00:02 +0200, Reindl Harald a écrit :
>> has anybody considered to put the following as default in systemd-units of
>> network services? cross-posting to users-list intented because i think it
>> is a good idea to bring it to a broader userbase!
>>
>> ReadOnlyDirectories=/etc
>> ReadOnlyDirectories=/usr
>>
>> http://www.freedesktop.org/software/systemd/man/systemd.exec.html
>>
>> additionally having the RPM database to accessable for network-services
>> is fine, set for all listed below and reduces the attack surface
>>
>> InaccessibleDirectories=/var/lib/rpm
>> InaccessibleDirectories=/var/lib/yum
>> __________________________________________________
>>
>> this would greatly reduce the impact of a possible root-exploit
>> and IMHO make installing a rootkit hard to impossible while
>> it is a good compromise to read-only /usr on a own partition
>> without make system-administration via SSH harder
>
> I am not sure for /var/lib/rpm
no webserver, mailserver, rsyslog or whatever needs to access the RPM db
i would say for 99% of services it is pretty fine to disable access
maybe exceptions for managament software
> For /usr and /etc, you need to be root to modify them most of the time
> if I am not wrong, and so if you are root, can you set them as being rw
> again?)
AFAIK no or at least very difficult at all - systemd is the supervisor
> ( and anyway, even if root can change that, it may be sufficient to stop
> some automated worms, as I have already seen one that overwrite openssh
> binary, this would have been prevented)
*that's the idea behind*
>> exeptiopns:
>>
>> * trafficserver
>> it touchs /etc/trafficserver at startup
>> "ReadOnlyDirectories=/usr" is fine
>
> Seems like a bug in the software. It would prevent to have it run from a
> livecd.
yes and no
if you have not enabled cluster-support it should not need
to touch it's config but it does including backups in
form of _1 files, most of them can set RO for the ats
user and it whines in the logs but is fine to start
but because the cluster-thing you can't make /etc read-only as default
>> * mediathomb
>> refuses for whatever reason to start with read-only /etc
>> "ReadOnlyDirectories=/usr" is fine
>
> Same as above
that is for sure a bug
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130722/3d16400e/attachment.sig>
More information about the devel
mailing list