[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNUnet-developers] service files

From: Christian Grothoff
Subject: Re: [GNUnet-developers] service files
Date: Fri, 8 Mar 2019 03:51:35 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1

On 3/7/19 4:48 PM, Schanzenbach, Martin wrote:
> Hi,
>> On 7. Mar 2019, at 15:28, address@hidden wrote:
>> I just learned about a couple more specific systemd settings.
>> The ones I think which could be useful to extend our systemd
>> example service with are below.
>>> PrivateTmp:
>>> Use private /tmp and /var/tmp folders inside a new file system namespace, 
>>> which are discarded after the process stops.
> GNUnet has lots of things that need persistance. Like cryptographic keys.

Rifhr, but ever anything in /tmp. So this should be fine.

>>> ProtectHome:
>>> The /home, /root, and /run/user folders can not be accessed by this service 
>>> anymore. If your Pleroma user has its home folder in one of the restricted 
>>> places, or use one of these folders as its working directory, you have to 
>>> set this to false.

This breaks file-sharing indexing. So this should (with the current
implementation of FS) not be done for gnunet-service-fs by default.
Note that my planned (for 2030...) re-design of FS would lift this
restriction and enable setting ProtectHome.

> See above. /home/<user>/.config/gnunet et al.
>>> ProtectSystem:
>>> Mount /usr, /boot, and /etc as read-only for processes invoked by this 
>>> service.
> This might be interesting wrt hardening? Idk.

Yes, and GNUnet by design respects /usr, /boot and /etc being read-only.
So it would be a good thing for security to enforce this on platforms
where this is easily done.

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]