Simon McVittie wrote:
> For example, dbus-daemon can only usefully have hardening applied if it
> was built with traditional (non-systemd) service activation disabled,
> which we cannot usefully do in Debian for two reasons: because we support
> non-systemd init systems, and because we don't (curre
Package: wnpp
Severity: wishlist
Owner: Matthias Geiger
X-Debbugs-Cc: debian-devel@lists.debian.org, Debian Vim Maintainers
, matthias.geiger1...@tutanota.de
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
* Package name: vim-gruvbox
Version : 2.0.0
Upstream Contact: Pavel Perts
On Jul 04, "Trent W. Buck" wrote:
> * If it runs its own process manager (e.g. postfix's "master"),
> don't bother trying to harden it.
I disagree. It may not be possible to use NoNewPrivileges, but at least
file system hardening is usually trivial to enable for most daemons.
> * If it
On Mon, Jul 03, 2023 at 11:40:18PM +0200, Marco d'Itri wrote:
> This is a good example of what an almost fully sandboxed service looks
> like:
>
> https://salsa.debian.org/md/rpki-client/-/blob/master/debian/rpki-client.service
Cool but looks like a lot of work. Is it possible to do this without
On Jul 04, Andrey Rakhmatullin wrote:
> Cool but looks like a lot of work.
I do not think that this is really a lot of work.
> Is it possible to do this without
> applying the flags one by one and testing the result? Is it easier to
You may intimately know what the daemon needs to do and how the
Hi Jonas,
On Sat, 2023-07-01 at 11:07 +0200, Jonas Smedegaard wrote:
> Package: rkdeveloptool
> Version: 1.32+git20210408.46bb4c0-3
> Severity: wishlist
> Tags: upstream
>
> I own a PineNote, and use rkdeveloptool for flashing software onto it,
> but have found the code in Debian to be inferior f
Hi Cristopher,
Quoting Christopher Obbard (2023-07-04 16:01:19)
> On Sat, 2023-07-01 at 11:07 +0200, Jonas Smedegaard wrote:
> > I own a PineNote, and use rkdeveloptool for flashing software onto it,
> > but have found the code in Debian to be inferior for that use.
> >
> > Please consider switch
Marco d'Itri writes:
> On Jul 04, "Trent W. Buck" wrote:
>
>> * If it runs its own process manager (e.g. postfix's "master"),
>> don't bother trying to harden it.
> I disagree. It may not be possible to use NoNewPrivileges, but at least
> file system hardening is usually trivial to enable
Marco d'Itri writes:
> On Jul 04, Andrey Rakhmatullin wrote:
>
>> Cool but looks like a lot of work.
[...]
>> start with applying all of them and then looking what needs to be
>> disabled?
> This is what I do.
FYI below is my basic workflow.
Once you've done 2-5 daemons, you get a "feel" for
Marco d'Itri writes:
> This is a good example of what an almost fully sandboxed service looks like:
> https://salsa.debian.org/md/rpki-client/-/blob/master/debian/rpki-client.service
My best score is a little better :-)
On Debian 11 (systemd v247):
→ Overall exposure level for collection4.servic
10 matches
Mail list logo
