[pkg-bacula-devel] Hardening systemd

Sven Hartge sven at svenhartge.de
Thu Dec 27 23:06:59 GMT 2018


On 27.12.18 23:45, Carsten Leonhardt wrote:

>> I am currently experimenting with more systemd hardening options. I went
>> through the list of possibilities and have been running the ones I
>> patched in branch hardening-systemd since 2018-12-23 in my
>> disk2disk2tape setup at home.
>>
>> The normal backup and catalog backups run as you would expect, restores
>> also work fine and this time I double-checked all permissions, users,
>> ACLs and attributes have also been restored correctly.
>>
>> If possible I'd like to get those options into Buster, but would like to
>> run them for another week before I am sure they a) work and b) don't
>> break anything.
> 
> And I remember that I thought it would be also good to use apparmor.

AppArmor frightens me, to be honest. It may be more manageable for
daemons with a narrower use case, but the ordeal the Thunderbird
maintainers went through to get their profile in a useful shape was
disheartening.

> Or both?
> 
> Anyway, if it works and makes it more secure I don't see why not.

There are some things I/we need to consider. Not allowing new privileges
for example will shut down anything setuid (I think). If some user calls
a setuid program during (for example) their database dump routine, this
might cause problems.

This is something I need to test, how this interacts with
ClientRunScripts, etc.

But since this is easily overridden by users who need this, we can argue
that it is better to make the packages safe for 99% of users than to
cater to 1% with special needs.

So I think it would be best to get this out sooner than later and fix
anything that needs fixing after, than trying to come up with any corner
case ourselves.

Grüße,
Sven.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-bacula-devel/attachments/20181228/1fcff4ff/attachment.sig>


More information about the pkg-bacula-devel mailing list