Proposal: ReadOnlyDirectories /etc and /usr for network-services
Reindl Harald
h.reindl at thelounge.net
Sun Jul 21 22:03:01 UTC 2013
-------- Original-Nachricht --------
Betreff: Proposal: ReadOnlyDirectories /etc and /usr for network-services
Datum: Mon, 22 Jul 2013 00:02:02 +0200
Von: Reindl Harald <h.reindl at thelounge.net>
An: Mailing-List fedora-devel <devel at lists.fedoraproject.org>
Hi
has anybody considered to put the following as default in systemd-units of
network services? cross-posting to users-list intented because i think it
is a good idea to bring it to a broader userbase!
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
http://www.freedesktop.org/software/systemd/man/systemd.exec.html
additionally having the RPM database to accessable for network-services
is fine, set for all listed below and reduces the attack surface
InaccessibleDirectories=/var/lib/rpm
InaccessibleDirectories=/var/lib/yum
__________________________________________________
this would greatly reduce the impact of a possible root-exploit
and IMHO make installing a rootkit hard to impossible while
it is a good compromise to read-only /usr on a own partition
without make system-administration via SSH harder
__________________________________________________
currently i am in prodcution with it for the following services
most of them real production (customer-services) and a few on
home-servers or even not available in the Fedora repos
* asterisk
* dbmail
* dhcpd
* dnsmasq
* dovecot (running as IMAP/POP3 proxy and SASL)
* hostapd
* httpd
* hylafax
* iaxmodem
* mailgraph
* mpd
* mpdscribble
* mysqld
* named
* netatalk
* ntpd
* open-vm-tools
* openvpn
* postfix
* prosody
* pulseaudio (systemwide)
* pure-ftpd
* rsyslog
* smbd
* smokeping
* unbound
* vnstat
* xinetd (TFTP)
__________________________________________________
exeptiopns:
* trafficserver
it touchs /etc/trafficserver at startup
"ReadOnlyDirectories=/usr" is fine
* mediathomb
refuses for whatever reason to start with read-only /etc
"ReadOnlyDirectories=/usr" is fine
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130722/a98f529f/attachment.sig>
More information about the users
mailing list