Package: upstart Upstart should provide additional security features, such as isolating processes from the network using network namespaces, restricting file system access, preventing the processes to regain privileges, system call filters, private /tmp and limiting device access.
See also this part of Russ' mail on -ctte: Russ Allbery <r...@debian.org> writes: > * Security defense in depth. Both upstart and systemd support the basics > (setting the user and group, process limits, and so forth). However, > systemd adds a multitude of additional defense in depth features, > ranging from capability limits to private namespaces or the ability to > deny a job access to the network. This is just a simple matter of > programming on the upstart side, but it still contributes to the general > feature deficit; the capabilities in systemd exist today. I'm sure I'm > not the only systems administrator who is expecting security features > and this sort of defense in depth to become increasingly important over > the next few years. > > Here again, I think we have an opportunity for Debian to be more > innovative and forward-looking in what we attempt to accomplish in the > archive by adopting frameworks that let us incorporate the principles of > least privilege and defense in depth into our standard daemon > configurations. Ansgar -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
