Am 22.07.2013 16:37, schrieb Michael Scherer: > Le lundi 22 juillet 2013 à 00:02 +0200, Reindl Harald a écrit : >> has anybody considered to put the following as default in systemd-units of >> network services? cross-posting to users-list intented because i think it >> is a good idea to bring it to a broader userbase! >> >> ReadOnlyDirectories=/etc >> ReadOnlyDirectories=/usr >> >> http://www.freedesktop.org/software/systemd/man/systemd.exec.html >> >> additionally having the RPM database to accessable for network-services >> is fine, set for all listed below and reduces the attack surface >> >> InaccessibleDirectories=/var/lib/rpm >> InaccessibleDirectories=/var/lib/yum >> __________________________________________________ >> >> this would greatly reduce the impact of a possible root-exploit >> and IMHO make installing a rootkit hard to impossible while >> it is a good compromise to read-only /usr on a own partition >> without make system-administration via SSH harder > > I am not sure for /var/lib/rpm
no webserver, mailserver, rsyslog or whatever needs to access the RPM db i would say for 99% of services it is pretty fine to disable access maybe exceptions for managament software > For /usr and /etc, you need to be root to modify them most of the time > if I am not wrong, and so if you are root, can you set them as being rw > again?) AFAIK no or at least very difficult at all - systemd is the supervisor > ( and anyway, even if root can change that, it may be sufficient to stop > some automated worms, as I have already seen one that overwrite openssh > binary, this would have been prevented) *that's the idea behind* >> exeptiopns: >> >> * trafficserver >> it touchs /etc/trafficserver at startup >> "ReadOnlyDirectories=/usr" is fine > > Seems like a bug in the software. It would prevent to have it run from a > livecd. yes and no if you have not enabled cluster-support it should not need to touch it's config but it does including backups in form of _1 files, most of them can set RO for the ats user and it whines in the logs but is fine to start but because the cluster-thing you can't make /etc read-only as default >> * mediathomb >> refuses for whatever reason to start with read-only /etc >> "ReadOnlyDirectories=/usr" is fine > > Same as above that is for sure a bug
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
