[pkg-bacula-devel] Hardening systemd
Sven Hartge
sven at svenhartge.de
Sat Dec 29 23:36:22 GMT 2018
On 30.12.18 00:32, Carsten Leonhardt wrote:
> Hi Sven,
>
>> I went through capabilities(7) and blacklisted all those which I deem
>> dangerous or unneeded, like the ability to reboot the system, (un)load
>> modules, set the clock, change network settings or bind to a power below
>> 1024.
>
> Hm, now that I see this list, I'm thinking of RunScripts and that we
> can't know what administrators might want to do there.
>
> For example I know a company where computers used to be woken by wake on
> lan and shut down after the backup.
>
> I guess the restrictions will be inherited to RunScripts?
Of course. It applies to all childs.
But then again, it is easily overridden by the admin via a simple
"systemctl edit bacula-fd.service". But this needs to be documented
well, maybe even via a NEWS entry.
Question here is: How far do we want to accommodate special setups in
our default setup.
I am unsure in this regard at the moment. As usual, there is no binary
answer here, one has to carefully weigh all options.
Grüße,
Sven.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-bacula-devel/attachments/20181230/1b33693b/attachment.sig>
More information about the pkg-bacula-devel
mailing list