Aleksandersen: Limit the impact of a security intrusion with systemd security directives

Daniel Aleksandersen shows how to sandbox a daemon process using a set of systemd features. "These directives combined would have stopped the specific remote code execution vulnerability that afflicted OpenSMTPD. However, the key takeaway is that you should strive to sandbox long-running and internet-exposed services. There’s no need for your webserver to be able to load a kernel module, your email server to change the hostname, or your DNS server to launch wget and schedule reoccurring tasks with cron."

Comments (39 posted)