[systemd-devel] systemd-journald.service not using ProtectSystem=strict?
Reindl Harald
h.reindl at thelounge.net
Thu Jan 10 18:06:58 UTC 2019
looking at the current security issues and how it triggers the
troll-army i wonder why systemd-journald.service is not restricted from
at least write to /usr and /root at least on Fedora 28 (that it's not
vulernable because of compiler hardening is just luck)
[root at testserver:~]$ cat
/etc/systemd/system/systemd-journald.service.d/security.conf
[Service]
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/run
ReadWritePaths=/var
[root at testserver:~]$ systemctl status systemd-journald.service
● systemd-journald.service - Journal Service
Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service;
static; vendor preset: disabled)
Drop-In: /etc/systemd/system/systemd-journald.service.d
└─security.conf
Active: active (running) since Thu 2019-01-10 19:00:30 CET; 42s ago
Docs: man:systemd-journald.service(8)
man:journald.conf(5)
Main PID: 398 (systemd-journal)
Status: "Processing requests..."
Tasks: 1 (limit: 512)
Memory: 4.7M
CGroup: /system.slice/systemd-journald.service
└─398 /usr/lib/systemd/systemd-journald
Jan 10 19:00:30 testserver.rhsoft.net systemd-journald[398]: Journal started
Jan 10 19:00:30 testserver.rhsoft.net systemd-journald[398]: Runtime
journal (/run/log/journal/b3591cfc6c4e65ea231a7d08489dc40f) is 2.5M, max
10.0M, 7.5M free.
Jan 10 19:00:30 testserver.rhsoft.net systemd-journald[398]: Runtime
journal (/run/log/journal/b3591cfc6c4e65ea231a7d08489dc40f) is 2.5M, max
10.0M, 7.5M free.
More information about the systemd-devel
mailing list