Using systemd features to secure services - DevConf.CZ 2020
Speakers: Zbigniew Jędrzejewski-Szmek
Systemd provides a bunch of features which can be used to contain and secure services.
First, it performs setup like creating runtime directories and opening sockets, so the service doesn't need privileges.
Second, it makes it easy to run services as unprivileged users, removing a whole set of problems.
Third, it uses kernel features like mount and network namespaces, capabilities, resource limits, to constrain services.
Fourth, it implements additional filters using BPF (per-service firewalls, devices controller).
Fifth, it does resource cleanup after the service is done, removing the need for privileges again.
We could use this to vastly simplify services and to provide an additional level of security for system services.
More and more services in Fedora are making use of this, but the common case is still to run as root will full access to everything the service doesn't need. I'll talk about the features that are the most useful and how they can be used in practice.
[ https://sched.co/YOtS ]
--
Recordings of talks at DevConf are a community effort. Unfortunately not everything works perfectly every time. If you're interested in helping us improve, let us know.
Видео Using systemd features to secure services - DevConf.CZ 2020 канала DevConf
Systemd provides a bunch of features which can be used to contain and secure services.
First, it performs setup like creating runtime directories and opening sockets, so the service doesn't need privileges.
Second, it makes it easy to run services as unprivileged users, removing a whole set of problems.
Third, it uses kernel features like mount and network namespaces, capabilities, resource limits, to constrain services.
Fourth, it implements additional filters using BPF (per-service firewalls, devices controller).
Fifth, it does resource cleanup after the service is done, removing the need for privileges again.
We could use this to vastly simplify services and to provide an additional level of security for system services.
More and more services in Fedora are making use of this, but the common case is still to run as root will full access to everything the service doesn't need. I'll talk about the features that are the most useful and how they can be used in practice.
[ https://sched.co/YOtS ]
--
Recordings of talks at DevConf are a community effort. Unfortunately not everything works perfectly every time. If you're interested in helping us improve, let us know.
Видео Using systemd features to secure services - DevConf.CZ 2020 канала DevConf
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Managing Containers in Podman with Systemd Unit FilesUplift your Linux systems programming skills with systemd and D-Bus Practical examples and best pra…Systemd Is Hated By Many, But Does It Deserve It?Building reactive microservices with MicroProfile - DevConf.CZ 2022Keynote: Security Features in systemd, Lennart Poettering10 Tips to Secure your Computer from Hackers and Viruses | Working From Home TipsThe s6 supervision suite A modern alternative to systemdTutorial: Introduction to the Embedded Boot Loader U-boot - Behan Webster, Converse in CodeUsing systemd-nspawn for Lightweight Containers in Fedora 21How To Use Lynis to Audit your Linux, macOS or BSD system |WireGuard OverviewOn systemd, Gentoo and Void Linux (Switching from Arch Linux?)WireGuard: Next Generation Secure Network TunnelScan for Vulnerabilities on Any Website Using Nikto [Tutorial]Discover & Scan for Devices on a Network with ARP [Tutorial]Building initrd images from rpms - DevConf.CZ 2022Gentoo - OpenRC vs Arch Linux - SystemD vs Void - Runit [Linux]How to Create and Execute New Service Units in SystemD - Shell ScriptHow To Setup WireGuard (Easy VPN)The emergence of In-Vehicle OS - DevConf.CZ 2022