Proposal: ReadOnlyDirectories /etc and /usr for network-services

Reindl Harald h.reindl at thelounge.net
Sun Jul 21 22:03:01 UTC 2013 

-------- Original-Nachricht --------
Betreff: Proposal: ReadOnlyDirectories /etc and /usr for network-services
Datum: Mon, 22 Jul 2013 00:02:02 +0200
Von: Reindl Harald <h.reindl at thelounge.net>
An: Mailing-List fedora-devel <devel at lists.fedoraproject.org>

Hi

has anybody considered to put the following as default in systemd-units of
network services? cross-posting to  users-list intented because i think it
is a good idea to bring it to a broader userbase!

ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr

http://www.freedesktop.org/software/systemd/man/systemd.exec.html

additionally having the RPM database to accessable for network-services
is fine, set for all listed below and reduces the attack surface

InaccessibleDirectories=/var/lib/rpm
InaccessibleDirectories=/var/lib/yum
__________________________________________________

this would greatly reduce the impact of a possible root-exploit
and IMHO make installing a rootkit hard to impossible while
it is a good compromise to read-only /usr on a own partition
without make system-administration via SSH harder
__________________________________________________

currently i am in prodcution with it for the following services
most of them real production (customer-services) and a few on
home-servers or even not available in the Fedora repos

* asterisk
* dbmail
* dhcpd
* dnsmasq
* dovecot (running as IMAP/POP3 proxy and SASL)
* hostapd
* httpd
* hylafax
* iaxmodem
* mailgraph
* mpd
* mpdscribble
* mysqld
* named
* netatalk
* ntpd
* open-vm-tools
* openvpn
* postfix
* prosody
* pulseaudio (systemwide)
* pure-ftpd
* rsyslog
* smbd
* smokeping
* unbound
* vnstat
* xinetd (TFTP)
__________________________________________________

exeptiopns:

* trafficserver
  it touchs /etc/trafficserver at startup
  "ReadOnlyDirectories=/usr" is fine

* mediathomb
  refuses for whatever reason to start with read-only /etc
  "ReadOnlyDirectories=/usr" is fine

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130722/a98f529f/attachment.sig>

More information about the users mailing list