On Mon, Aug 22, 2011 at 4:32 PM, Lennart Poettering <mzerq...@0pointer.de>wrote:
> In fact, systemd offers quite a number security features to secure your > services wich can be easily used to enhance local security. I'll > probably blog about this soonishly, but there's a lot of nice stuff in > there. For example, set "PrivateNetwork=yes" in a service file and the > service will be entirely cut off from the network, so that no network > interfaces are visible anymore. It will only have access to a private, > isolated instance of the loopback device. This is something we should > set for a number of services which never should get network access, like > upower, dbus, or colord. Another really simple option like this is > "PrivateTmp=yes" which gives the service a private, isolated /tmp > directory, so that it won't see and cannot access other processes' > files. Stuff like this is really easy to use, and brings immediate > security benefits, since it locks services into flexible jails, > minimizing the attack surface and locking in exploiters. > > Fascinating. Very fascinating. For the sake of argument, what would I have to do on a sysvinit-ish system (say F14) to get dbus on an equivalent private network? -jef
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
