Proposal: ReadOnlyDirectories /etc and /usr for network-services
Reindl Harald
h.reindl at thelounge.net
Mon Jul 22 17:28:12 UTC 2013
Am 22.07.2013 18:10, schrieb Nicolas Mailhot:
> Le Lun 22 juillet 2013 00:02, Reindl Harald a écrit :
>> has anybody considered to put the following as default in systemd-units of
>> network services? cross-posting to users-list intented because i think it
>> is a good idea to bring it to a broader userbase!
>>
>> ReadOnlyDirectories=/etc
>> ReadOnlyDirectories=/usr
>
> It would be very nice if write-protection of FHS-defined RO directories
> was applied by default, except for the software updater or during explicit
> maintenance operations
the idea behind my proposl is to reach nearly the same as
a system-wide write-protection or mount read-only without
impact maintenance - i see it as compromise
i do not want to have a webserver exploited and damage my
system while i do not want /usr globally read-only which
would kill cronjobs and own software running on top
of Fedora in /usr/local
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130722/62d901de/attachment-0001.sig>
More information about the devel
mailing list