Proposal: ReadOnlyDirectories /etc and /usr for network-services
Reindl Harald
h.reindl at thelounge.net
Thu Jul 25 18:39:36 UTC 2013
Am 25.07.2013 20:31, schrieb drago01:
> On Thu, Jul 25, 2013 at 6:36 PM, Reindl Harald <h.reindl at thelounge.net> wrote:
>> Am 25.07.2013 17:57, schrieb drago01:
>>>> in theory yes
>>>>
>>>> practically a exploit is not that easy like fire
>>>> a bundle of commands as root like a script
>>>>
>>>>> So we're talking about limited circumstances where
>>>>> the attacker can modify files and not execute code, or where the
>>>>> attacker is root but not CAP_SYS_ADMIN (or whatever it is)
>>>>
>>>> a httpd running with SElinux disabled or in permissive mode with
>>>
>>> Here is your problem ... How about running it in enforcing mode? I mean you care ab out security and disable
>>> security features at the same time. If there are selinux bugs file and/or fix them
>>
>> if you are able to marry pure-ftpd, samba and 250 cms-installations predictable
>> on a machine running also *self developed* managment-software for a complete
>> infrastructure on 20 Fedora servers with SElinux go ahead :-)
>
> You missed the "and/or fix and file bugs" part
you missed the *self developed* managment-software
> It does not work so lets disable it and add hacks to get the same
> functionality back is bad practice.
no, using as much as possible security options without
damage the operational work is the one and only practice
if it comes to *business* and a lot of people living
from 365/24/7 up services with no "permissions denied"
where it is not intented
> If it does not work we should fix it
*you* can *not* fix anything in packages
in my case these are over more than 10 years grown environments
responsible for over 600 domains which was migrated from MacOSX
to Fedora years ago, there are a *lot* of packages involved which
are not existing for Fedora in the public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130725/a3938755/attachment.sig>
More information about the devel
mailing list