-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 There's a potential problem with this: dnsmasq has an option to invoke child processes when the DHCP lease database changes, using the - --dhcp-script option. By making this change, those processes are going to be invoked with read-only /usr. That's probably fine in most cases, but there's no certainty that someone's script doesn't write /usr, and for that script, this is a non-backwards compatible change.
Simon. On 01/12/14 03:51, Micah Anderson wrote: > Package: dnsmasq Version: 2.72-2 Severity: wishlist > > Dear Maintainer, > > *** Reporter, please consider answering these questions, where > appropriate *** > > * What led up to the situation? * What exactly did you do (or not > do) that was effective (or ineffective)? * What was the outcome of > this action? * What outcome did you expect instead? > > *** End of the template - remove these template lines *** > > > Hello, > > If you add the option ProtectSystem=yes to the service file, then > the daemon will not have the ability to write to /usr. > > There is no reason why it needs to write there, so enabling this > option should not cause any problems. > > This option is one of the systemd security features for systemd > service files that was detailed in a talk[0] given by Lennart > which details various security features you can enable in your > package's service files. > > micah > > [0] > http://ftp.nluug.nl/video/nluug/2014-11-20_nj14/zaal-2/5_Lennart_Poettering_-_Systemd.webm > > -- System Information: Debian Release: jessie/sid APT prefers > unstable APT policy: (500, 'unstable') Architecture: amd64 > (x86_64) Foreign Architectures: i386 > > Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: > LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: > /bin/sh linked to /bin/dash > > Versions of packages dnsmasq depends on: ii dnsmasq-base > 2.72-2 ii init-system-helpers 1.22 ii netbase 5.3 > > dnsmasq recommends no packages. > > Versions of packages dnsmasq suggests: ii resolvconf 1.76 > > -- Configuration Files: /etc/dnsmasq.conf changed [not included] > > -- no debconf information > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUke0OAAoJEBXN2mrhkTWidS0P/j1V/TZLJ5oj0NdN12Gwa2Dr QEd5ONcLvklrzgCStjbxI9nRF5N6tYVv/zhe5PwoMRGLog2rrOGLF6scMNxrex0a xD2typI2PBMCUAoP8eV5kagujbmH5E4gIaKGPQKdQmHGAJ1qFS76AYZ/obdtcEOj gpUL5CNL32h0U9DQsTVIw/vyT0WlZORlMZmjZhIphzw7RE7uxBbw3WZdd4Psl4Iq 3f80pA3KBT6uKKY+wqlJ6e43tIIXNaHIoOcAIOE7vm0CO9tDC2QVLQd/E3HKAiB9 vDVQ3xL0QfFO/WBVkE4L2ZbzSCAIJtXGT7WPGU2SxULoJg3ErY9w9WDwPDo7peRI B0tRxQ3M0ekszQd7yi6jHyfFXZxACMl5NHuDkAf6Ps2bEpGo9Xrx65GPgX2mTymP 4EJK3jTPvtdHAqrT9Ee9bTLLFiZiNdlweWRWXPwmMlpiyKA4GFJvPVEndLtbIrxd FVnE30kCEWk0Ie7SYBgu82FSqHloJa9u/gS4ObJL/yZS1Aq20/shxLDLOo7nrHOi Bpfr6YwRWgzJXhiphSUG8j2nLwAVOjXXg5LNaE4mxksaZMOlps6u0nFdWK87Hf/X lcLcwHntYsMSdkuW4vJ6qeg/OLAPlUZvmUxF5lF+ppZeEmE7DHD6cgPB6IZBOLr6 nOfU52P8BcexEK9DcbVc =XCzf -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
