[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#727708: Quick upstart and systemd feature comparison

Ian Jackson <ijackson@chiark.greenend.org.uk> writes:
> Russ Allbery writes:

>> * Lots of really interesting defense-in-depth security features.  I
>>   particularly liked ReadWriteDirectories, ReadOnlyDirectories,
>>   InaccessibleDirectories, PrivateNetwork, and NoNewPrivileges, which
>>   provide a sort of lightweight process containment that would be much
>>   easier to use than a full-blown chroot, and in some ways more powerful.

> I think that this functionality should be provided by "auxiliary verb"
> wrapper commands, not welded into init.

Why?  It feels like it adds (mild) complexity without a whole lot of
benefit.  The init system (for both systemd and upstart) are already
handling setuid, setgid, nice, OOM adjustment, system resource limits,
etc.  This stuff feels like the same type of thing.

Also, note that systemd also has broad support for SELinux and related MAC
mechanisms (and upstart has support for apparmor), which use the same type
of mechanism.  I believe there are some policy challenges in allowing a
separate process to handle that setup without compromising security.  The
init system is already running in the correct trusted context to do that
sort of setup.

(I'm very interested in the SELinux parts as well, but probably won't be
able to use them immediately, so I didn't analyze them in much depth.)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: