Proposal: ReadOnlyDirectories /etc and /usr for network-services
Miloslav Trmač
mitr at volny.cz
Mon Jul 22 14:53:36 UTC 2013
On Mon, Jul 22, 2013 at 12:02 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
> has anybody considered to put the following as default in systemd-units of
> network services? cross-posting to users-list intented because i think it
> is a good idea to bring it to a broader userbase!
>
> ReadOnlyDirectories=/etc
> ReadOnlyDirectories=/usr
I think it's generally known by now that I don't like namespaces as a
security mechanism. At best, this is duplicating SELinux policy with
less transparency and worse tools.
(The network services shouldn't be running as root in the first place.)
Mirek
More information about the devel
mailing list