[175464] in North American Network Operators' Group
Re: Linux: concerns over systemd adoption and Debian's decision to
daemon@ATHENA.MIT.EDU (Jeffrey Ollie)
Wed Oct 22 15:24:49 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <544801D9.9050004@flowtools.net>
Date: Wed, 22 Oct 2014 14:24:40 -0500
From: Jeffrey Ollie <jeff@ocjtech.us>
To: John Schiel <jschiel@flowtools.net>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Wed, Oct 22, 2014 at 2:13 PM, John Schiel <jschiel@flowtools.net> wrote:
> On 10/22/2014 10:43 AM, C. Jon Larsen wrote:
>>
>> Incorrect assumption. systemd is a massive security hole waiting to happen
>> and it does not follow the unix philosophy of done 1 thing and do it
>> well/correct.
>
> i was beginning to wonder how secure systemd is also.
Personally, I feel that the systemd developers have given a lot of
thought to security, both in the systemd code itself and because
systemd makes it practical to use advanced features of the Linux
kernel that can improve security.
One example is the fact that systemd makes it very easy to give a
service a private /tmp and /var/tmp directory that no other service
uses by using Linux's filesystem namespaces. That can avoid all sorts
of tmpfile race conditions that have caused problems in the past.
Doing that in sysvinit, while possible, wasn't easy because you'd have
to modify each init.d script (and redo the change every time upstream
released a new update) to create/manage the filesystem namespace. In
practice it was never done.
--
Jeff Ollie
