On 12/12/16 20:44, Gert Doering wrote:
> Hi,
> On Fri, Dec 09, 2016 at 07:13:03PM +0100, Christian Hesse wrote:
>> From: Christian Hesse <m...@eworm.de>
>> ProtectSystem=strict mounts the entire file system hierarchy read-only,
>> except for the API file system subtrees /dev, /proc and /sys (which can
>> be protected using PrivateDevices=, ProtectKernelTunables=,
>> ProtectControlGroups=).
> Unless the temp directories are still writeable, this will break 
> server configs with --client-connect scripts or plugins trying to hand 
> back config settings via temp files.

Agreed, we cannot have /tmp (or --tmp-dir) read-only.

However, I read up a bit on ProtectSystem= on RHEL7.  And on RHEL7
(shipping systemd-219) ProtectSystem= can only be 'full' or 'true' (it
is 'false'/off by default).  We cannot use any other values, as RHEL
defines the oldest distros we support, and RHEL7 is the oldest systemd
distro we will support in the future.

We can definitely use ProtectSystem=true, as that ensure /usr and /boot
are read-only.  That is safe.  If using 'full', /etc is also made
read-only.  I personally think this makes sense too, as if you have any
state or log files, they should be placed under /var/log, {/var,}/run or

kind regards,

David Sommerseth
OpenVPN Technologies, Inc

Attachment: signature.asc
Description: OpenPGP digital signature

Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to