You are not logged in.
- Topics: Active | Unanswered
#1 2015-07-10 09:37:31
- Spider.007
- Member
- Registered: 2004-06-20
- Posts: 1,175
Should Archlinux add ProtectSystem, ProtectHome & PrivateDevices ?
Since Arch has embraced systemd, a lot of new exciting features have become available. Systemd has introduced a lot of security minded features which can be used in service-files, and while some of them have been implemented in a lot of services (such as PrivateTmp), others haven't, and I'm especially thinking of ProtectSystem, ProtectHome & PrivateDevices. I have been overloading service-files for long-running daemons (such as mysqld, php-fpm, postgresql & memcached) to add these and they haven't had any negative impact, so I think the could be added to the distributed packages as well.
What do you think? I'm interested in opinions from both users & devers/package maintainers.
Offline
#2 2015-07-20 23:39:16
- phoenix
- Member
- Registered: 2015-03-28
- Posts: 18
Re: Should Archlinux add ProtectSystem, ProtectHome & PrivateDevices ?
Good idea, reduces the attack surface. Along with "ReadWriteDirectories=, ReadOnlyDirectories=, InaccessibleDirectories=", it's almost like a MAC system.
Offline
#3 2015-07-21 11:57:00
- Spider.007
- Member
- Registered: 2004-06-20
- Posts: 1,175
Re: Should Archlinux add ProtectSystem, ProtectHome & PrivateDevices ?
I haven't noticed any negative effects, while I have been running this setup for a couple of weeks. I wonder why PrivateTmp is implemented in most services, but the mentioned additional protections are not.
Offline
#4 2015-11-02 13:43:57
- Utini
- Member
- Registered: 2015-09-28
- Posts: 452
- Website
Re: Should Archlinux add ProtectSystem, ProtectHome & PrivateDevices ?
Yes ! 
Setup 1: Thinkpad T14s G3, 14" FHD - R7 6850U - 32GB RAM - 2TB Solidigm P44 Pro NVME
Setup 2: Thinkpad X1E G1, 15.6" FHD - i7-8850H - 32GB RAM - NVIDIA GTX 1050Ti - 2x 1TB Samsung 970 Pro NVME
Accessories: Filco Majestouch TKL MX-Brown Mini Otaku, Benq XL2420T (144Hz), Lo(w)gitech G400, Puretrak Talent, Sennheiser HD800S + Meier Daccord FF + Meier Classic FF
Offline
#5 2015-11-03 08:25:43
- chaonaut
- Member
- From: Kyiv, Ukraine
- Registered: 2014-02-05
- Posts: 382
Re: Should Archlinux add ProtectSystem, ProtectHome & PrivateDevices ?
Good idea, reduces the attack surface. Along with "ReadWriteDirectories=, ReadOnlyDirectories=, InaccessibleDirectories=", it's almost like a MAC system.
as far as i can see, the whole systemd thing is heavily inspired by Mac OS' launchd.
my answer is rather yes.
— love is the law, love under wheel, — said aleister crowley and typed in his terminal:
usermod -a -G wheel love
Offline