Skip to Content [alt-c]
In reply to Systemd is not Magic Security Dust
Uhm... about Apache:
1. "Broad" access? No. A site exists under a directory. Of course the httpd will have access to files it is, uhm... serving.
2. Credentials used by PHP? Nope. Only if you run PHP DSO which you shouldn't. The web server can have zero access to PHP files, because properly configured fastcgi daemon (eg. php-fpm) will get a fastcgi REQUEST sent to by httpd. It is then the PHP itself that finds and opens a file for reading, parsing and execution.
3. Attacker gaining remote execution of httpd will be able to do all those things regardless of an init system. HOWEVER, systemd ALLOWS very simple and easy, all within the one unit file, configuration of seccomp filters, capability dropping, binding to <1000 ports for daemons not running as root, etc... I don't think any other init system does this? Oh, sure, it's not the domain of an init system to do all this? Think again, it exactly is, because init is managing processes.
It's hard to take the rest of your post seriously when you make such huge mistakes.
Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.
Your Name: (Optional; will be published)
Your Email Address: (Optional; will not be published)
Your Website: (Optional; will be published)
>
monospaced
Post a Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.