DevConf.CZ 2020 has ended
Sunday, January 26 • 3:00pm - 3:55pm
Using systemd features to secure services

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Systemd provides a bunch of features which can be used to contain and secure services.
First, it performs setup like creating runtime directories and opening sockets, so the service doesn't need privileges.
Second, it makes it easy to run services as unprivileged users, removing a whole set of problems.
Third, it uses kernel features like mount and network namespaces, capabilities, resource limits, to constrain services.
Fourth, it implements additional filters using BPF (per-service firewalls, devices controller).
Fifth, it does resource cleanup after the service is done, removing the need for privileges again.

We could use this to vastly simplify services and to provide an additional level of security for system services.
More and more services in Fedora are making use of this, but the common case is still to run as root will full access to everything the service doesn't need. I'll talk about the features that are the most useful and how they can be used in practice.

avatar for Zbigniew Jędrzejewski-Szmek

Zbigniew Jędrzejewski-Szmek

plumber, Red hat
systemd maintainer

Sunday January 26, 2020 3:00pm - 3:55pm CET
D0206 Faculty of Information Technology Brno University of Technology, Božetěchova, Brno-Královo Pole, Czechia