On Thu, Dec 19, 2013 at 09:57:48AM -0800, Russ Allbery wrote: > Ian Jackson <ijackson@chiark.greenend.org.uk> writes: > > Russ Allbery writes: > >> * Lots of really interesting defense-in-depth security features. I > >> particularly liked ReadWriteDirectories, ReadOnlyDirectories, > >> InaccessibleDirectories, PrivateNetwork, and NoNewPrivileges, which > >> provide a sort of lightweight process containment that would be much > >> easier to use than a full-blown chroot, and in some ways more powerful. > > I think that this functionality should be provided by "auxiliary verb" > > wrapper commands, not welded into init. > Why? It feels like it adds (mild) complexity without a whole lot of > benefit. The init system (for both systemd and upstart) are already > handling setuid, setgid, nice, OOM adjustment, system resource limits, > etc. This stuff feels like the same type of thing. > Also, note that systemd also has broad support for SELinux and related MAC > mechanisms (and upstart has support for apparmor), which use the same type > of mechanism. I believe there are some policy challenges in allowing a > separate process to handle that setup without compromising security. The > init system is already running in the correct trusted context to do that > sort of setup. > (I'm very interested in the SELinux parts as well, but probably won't be > able to use them immediately, so I didn't analyze them in much depth.) Right, I also agree this kind of thing is best implemented directly in the init system. I don't think it's the highest priority for implementing, but it would have its uses and the init system is best placed to handle it. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature