Proposal: ReadOnlyDirectories /etc and /usr for network-services

Reindl Harald h.reindl at thelounge.net
Mon Jul 22 15:01:20 UTC 2013 


Am 22.07.2013 16:53, schrieb Miloslav Trmač:
> On Mon, Jul 22, 2013 at 12:02 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>> has anybody considered to put the following as default in systemd-units of
>> network services? cross-posting to  users-list intented because i think it
>> is a good idea to bring it to a broader userbase!
>>
>> ReadOnlyDirectories=/etc
>> ReadOnlyDirectories=/usr
> 
> I think it's generally known by now that I don't like namespaces as a
> security mechanism.  At best, this is duplicating SELinux policy with
> less transparency and worse tools.

in general it is better to have more than one safety-net
if it comes to security and there are environments where
you simply can not enforce SElinux because they become
unmaintainable (i have a few of them)

> (The network services shouldn't be running as root in the first place)

"privilege escalation" i say here

it is not much likely *but* a non-privileged process can break out
at this did happen more than once in the past and will happen
again, not every day but when it happens it's bad

however, i enforced this the last few days, for the webserver even much
more as for the other services and thought it maybe a good idea to share
the result

[Unit]
Description=Apache Webserver
After=network.service

[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/httpd
ExecStart=/usr/sbin/httpd $OPTIONS -D FOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
Restart=always
RestartSec=1
UMask=006
PrivateTmp=yes
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/proc
InaccessibleDirectories=/boot
InaccessibleDirectories=/home
InaccessibleDirectories=/root
InaccessibleDirectories=/var/lib/rpm
InaccessibleDirectories=/var/lib/yum
InaccessibleDirectories=/var/spool
InaccessibleDirectories=/usr/lib/dracut
InaccessibleDirectories=/usr/lib/firmware
InaccessibleDirectories=/usr/lib/modprobe.d
InaccessibleDirectories=/usr/lib/modules
InaccessibleDirectories=/usr/lib/modules-load.d
InaccessibleDirectories=/usr/lib/sysctl.d
InaccessibleDirectories=/usr/lib/tmpfiles.d
InaccessibleDirectories=/usr/lib/udev

[Install]
WantedBy=multi-user.target


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130722/405d734b/attachment.sig>

More information about the devel mailing list