You are not logged in.
Since Arch has embraced systemd, a lot of new exciting features have become available. Systemd has introduced a lot of security minded features which can be used in service-files, and while some of them have been implemented in a lot of services (such as PrivateTmp), others haven't, and I'm especially thinking of ProtectSystem, ProtectHome & PrivateDevices. I have been overloading service-files for long-running daemons (such as mysqld, php-fpm, postgresql & memcached) to add these and they haven't had any negative impact, so I think the could be added to the distributed packages as well.
What do you think? I'm interested in opinions from both users & devers/package maintainers.
Offline
Good idea, reduces the attack surface. Along with "ReadWriteDirectories=, ReadOnlyDirectories=, InaccessibleDirectories=", it's almost like a MAC system.
Offline
I haven't noticed any negative effects, while I have been running this setup for a couple of weeks. I wonder why PrivateTmp is implemented in most services, but the mentioned additional protections are not.
Offline
Yes !
Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF
Offline
Good idea, reduces the attack surface. Along with "ReadWriteDirectories=, ReadOnlyDirectories=, InaccessibleDirectories=", it's almost like a MAC system.
as far as i can see, the whole systemd thing is heavily inspired by Mac OS' launchd.
my answer is rather yes.
— love is the law, love under wheel, — said aleister crowley and typed in his terminal:
usermod -a -G wheel love
Offline