[pkg-bacula-devel] Hardening systemd

Sven Hartge sven at svenhartge.de
Sat Dec 29 23:36:22 GMT 2018


On 30.12.18 00:32, Carsten Leonhardt wrote:
> Hi Sven,
> 
>> I went through capabilities(7) and blacklisted all those which I deem
>> dangerous or unneeded, like the ability to reboot the system, (un)load
>> modules, set the clock, change network settings or bind to a power below
>> 1024.
> 
> Hm, now that I see this list, I'm thinking of RunScripts and that we
> can't know what administrators might want to do there.
> 
> For example I know a company where computers used to be woken by wake on
> lan and shut down after the backup.
> 
> I guess the restrictions will be inherited to RunScripts?

Of course. It applies to all childs.

But then again, it is easily overridden by the admin via a simple
"systemctl edit bacula-fd.service". But this needs to be documented
well, maybe even via a NEWS entry.

Question here is: How far do we want to accommodate special setups in
our default setup.

I am unsure in this regard at the moment. As usual, there is no binary
answer here, one has to carefully weigh all options.

Grüße,
Sven.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-bacula-devel/attachments/20181230/1b33693b/attachment.sig>


More information about the pkg-bacula-devel mailing list