Proposal: ReadOnlyDirectories /etc and /usr for network-services

Daniel P. Berrange berrange at redhat.com
Mon Jul 22 16:22:57 UTC 2013 

On Mon, Jul 22, 2013 at 04:53:36PM +0200, Miloslav Trmač wrote:
> On Mon, Jul 22, 2013 at 12:02 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
> > has anybody considered to put the following as default in systemd-units of
> > network services? cross-posting to  users-list intented because i think it
> > is a good idea to bring it to a broader userbase!
> >
> > ReadOnlyDirectories=/etc
> > ReadOnlyDirectories=/usr
> 
> I think it's generally known by now that I don't like namespaces as a
> security mechanism.  At best, this is duplicating SELinux policy with
> less transparency and worse tools.

Namespaces really aren't duplicating SELinux policy, they are working
in a complementary fashion. There is clear value in having multiple
layers of security defence because things do fail for any number of
reasons. In the SELinux case, we all know many admins will set it to
permissive mode, at which point your second line of defence becomes
your primary line of defence. Namespaces don't offer as much protection
as SELinux MAC, but they can offer more protection than plain DAC
control in certain usage scenarios.

> (The network services shouldn't be running as root in the first place.)

No argument there, but even if something is running as non-root there is
the potential for privilege escalation through security flaws in some
thing that they use. In such a scenario having a separate filesystem
namespace which has made certain areas read-only may well stop the
exploit.

There's obviously a cost/benefit tradeoff to be made, and we may consider
that just making /etc & /var readonly has not got enough benefit, but
just dismissing use of namespaces out of hand without doing such evaluation
is really not helpful.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the devel mailing list