Skip to Content [alt-c]


In reply to Systemd is not Magic Security Dust

Reader infosec on 2017-06-03 at 14:36:

Uhm... about Apache:

1. "Broad" access? No. A site exists under a directory. Of course the httpd will have access to files it is, uhm... serving.

2. Credentials used by PHP? Nope. Only if you run PHP DSO which you shouldn't. The web server can have zero access to PHP files, because properly configured fastcgi daemon (eg. php-fpm) will get a fastcgi REQUEST sent to by httpd. It is then the PHP itself that finds and opens a file for reading, parsing and execution.

3. Attacker gaining remote execution of httpd will be able to do all those things regardless of an init system. HOWEVER, systemd ALLOWS very simple and easy, all within the one unit file, configuration of seccomp filters, capability dropping, binding to <1000 ports for daemons not running as root, etc... I don't think any other init system does this? Oh, sure, it's not the domain of an init system to do all this? Think again, it exactly is, because init is managing processes.

It's hard to take the rest of your post seriously when you make such huge mistakes.


Post a Reply

Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with > are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim (good for code).
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.
  • Use the Preview button to check your formatting.