[Pki-devel] Some recent systemd security features ( tunable in unit-files)

Kashyap Chamarthy kchamart at redhat.com
Fri Jan 20 05:33:31 UTC 2012


Hi,

Just came across this blog post from Lennart Poettering on security features in systemd,
which seem to be relatively easy to use by configuring a directive in systemd unit files.
Wondering, if we can use any of these for dogtag systemd unit files.

http://0pointer.de/blog/projects/security.html

Quick notes from the above long post:

- Isolating services from the network
	+ A service and all its processes can be disconnected via n/w (I guess this won't be much
helpful in our case as dogtag operates mostly over network)
- Service-private /tmp
	+ An isolated private /tmp from host system's /tmp
- Making directories appear read-only or inaccessible to services
- Taking away capabilities from services
	+ Ability to limit kernel capabilities to services
- Disallowing forking, limiting file creation for services
- Controlling device node access of services
	+ Ex: Like allowing access to  a specific device (like/dev/null, and only to this device)



-- 
/kashyap




More information about the Pki-devel mailing list