Probably going to go through the front door in fedora 22.
Announcement
Collapse
No announcement yet.
New Sandboxing Features Come To Systemd
Collapse
X
-
I don't like systemd - but that's no reason to be incorrect on purpose and I see a lot of misinformed FUD here
Check the actual commit. http://cgit.freedesktop.org/systemd/...a7800846482eed
These are namespace mount flags - you can emulate that with unshare (man 1 unshare).
This is much simpler and faster than setting up RBAC through any mechanism. Its basically a different view of the filesystem mount. Fast/simple.
Note that grsec gets a lot of positive advertisement as being the underdog/not in mainline and theres a lot of great stuff with it, but in the real world it isnt all that much better or worse than other alternatives. LSM for example isnt limited at all. Its less safe against kernel compromise. But for most people, if the kernel is compromised in any way, its already game over. And in most cases, for GrSec RBAC it is.
The real gem in the GrSec kernel is that it includes PaX. At the same time PaX code is tracked by extremely large patch files with no history, making it difficult to understand and audit. And thats why its not in mainline.
Comment
-
Originally posted by Luke View PostSystemd devs, like all programmers, need bug reports, not personal attacks and hate headlines, when something breaks. If all those attacks on systemd force systemd devs to turtle up and try everything new in private for fear of being attacked over bugs in alpha code, you get more bugs instead of less bugs when code gets released into system configurations the programmers don't have on hand for testing.
Expect alpha code to have issues, expect finished code used in released versions of operating systems to be reliable. These go together folks! Let's face it, a lot of people are using systemd right now, and they need code that works. Many of us appreciate core security upgrades that can be used to say, sandbox the network and block remote attacks.
Comment
-
Originally posted by asdfblah View PostBTW, I'm still wondering if there is any security researcher auditing systemd...
On the other hand, what sort of security audit do distro init scripts get?
Comment
-
Originally posted by asdfblah View PostBTW, I'm still wondering if there is any security researcher auditing systemd...
You can be sure that the version that will end up in RHEL 7 will be fully audited.
Comment
-
Originally posted by rmiller View PostThis is only useful if the service runs with a privileged user. A unprivileged user (nobody, http, dhcp, etc) can only access to the files that are owned by him.
Comment
-
Originally posted by misc View PostThey can also access to file that are world readable. ( not that it change much, but that's for nitpicking )
The example's not perfect, but the point I was trying to make is: None of us have any idea of what crazy, hackish setups people either choose to use / get forced to use to make something work.. So we have to work with that unknown.All opinions are my own not those of my employer if you know who they are.
Comment
Comment