[pkg-bacula-devel] Hardening systemd
Carsten Leonhardt
leo at debian.org
Sat Dec 29 23:32:55 GMT 2018
Hi Sven,
> I went through capabilities(7) and blacklisted all those which I deem
> dangerous or unneeded, like the ability to reboot the system, (un)load
> modules, set the clock, change network settings or bind to a power below
> 1024.
Hm, now that I see this list, I'm thinking of RunScripts and that we
can't know what administrators might want to do there.
For example I know a company where computers used to be woken by wake on
lan and shut down after the backup.
I guess the restrictions will be inherited to RunScripts?
> I retained all those who interact with files, their permissions, etc.,
> device nodes, raw I/O (if one backups a whole block device).
>
> I also kept CAP_SYS_ADMIN, because it contains too much stuff where I am
> not sure if it is needed. The man-page even says so: "Note: this
> capability is overloaded;"
>
> It would be nice if there was some form of audit wrapper one could use
> to see which capabilities a program uses.
>
> Can you please double check my list to see if I missed something?
I will.
- Carsten
More information about the pkg-bacula-devel
mailing list