Re: [libvirt PATCH v2 26/33] systemd: Downgrade read-only/admin sockets to Wants

Thursday, 28 September 2023

On Wed, Sep 27, 2023 at 06:19:27PM +0200, Andrea Bolognani wrote:
...
 Only the main socket is actually necessary for the service to be
 usable.

 In the past, we've had security issues that could be exploited via
 access to the read-only socket, so a security-minded administrator
 might consider disabling all optional sockets. This change makes
 such a setup possible.

 Note that the services will still try to activate all their
 sockets on startup, even if they have been disabled. To make sure
 that the optional sockets are never started, they will have to be
 masked.

 Signed-off-by: Andrea Bolognani <abologna(a)redhat.com&gt;
 ---
  src/locking/virtlockd.service.in | 2 +-
  src/logging/virtlogd.service.in  | 2 +-
  src/virtd.service.in             | 4 ++--
  3 files changed, 4 insertions(+), 4 deletions(-) 
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com&gt;

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt PATCH v2 26/33] systemd: Downgrade read-only/admin sockets to Wants