[pkg-bacula-devel] Hardening systemd

Carsten Leonhardt leo at debian.org
Sat Dec 29 23:32:55 GMT 2018


Hi Sven,

> I went through capabilities(7) and blacklisted all those which I deem
> dangerous or unneeded, like the ability to reboot the system, (un)load
> modules, set the clock, change network settings or bind to a power below
> 1024.

Hm, now that I see this list, I'm thinking of RunScripts and that we
can't know what administrators might want to do there.

For example I know a company where computers used to be woken by wake on
lan and shut down after the backup.

I guess the restrictions will be inherited to RunScripts?

> I retained all those who interact with files, their permissions, etc.,
> device nodes, raw I/O (if one backups a whole block device).
>
> I also kept CAP_SYS_ADMIN, because it contains too much stuff where I am
> not sure if it is needed. The man-page even says so: "Note: this
> capability is overloaded;"
>
> It would be nice if there was some form of audit wrapper one could use
> to see which capabilities a program uses.
>
> Can you please double check my list to see if I missed something?

I will.

 - Carsten



More information about the pkg-bacula-devel mailing list