Is this one of those "separation of duties" issues raise by the security guy? Then make sure everything you do is audited, problem solved.
Is this some guys who are jealous of their infrastructure or scared that their shitty implementations get exposed? You are one of the big guns now, don't let yourself be dissuaded by pavid minions. Explain the situation to your peers, gain their support, then strike. They are making changes because they expect changes to happen.
Systemd was forced down my throat by Arch Linux. I didn't know anything about the controversy back then, so I just thought: "There's probably a good reason for this, let's get to work".
I read some docs and I liked the security features a lot! You can tighten services easily with a declarative syntax.
Here's a snippet from my ntpdate.service file. You don't need much systemd knowledge to guess at what each line does:
...is worth a pound of cure.
Install Firefox, AdblockPlus, maybe even NoScript if you wanna be hardcore, and 99% of malware is blocked in its tracks.
Block the ability to download executable files and you'll be very close to 100%. No grandpa, you don't really need to install videoplayer.exe to see that porn clip.
Who has the time to hand-pick all the relevant tags for every file they download? Yeah, me neither. Finding time to put things in their own directory, and not dumping them all in "downloads", is a great accomplishment.
However finding a meaningful, hierarchical structure is non-trivial. I'm still working on it.
Slashdot Mirror
Is this one of those "separation of duties" issues raise by the security guy? Then make sure everything you do is audited, problem solved.
Is this some guys who are jealous of their infrastructure or scared that their shitty implementations get exposed? You are one of the big guns now, don't let yourself be dissuaded by pavid minions. Explain the situation to your peers, gain their support, then strike. They are making changes because they expect changes to happen.
Systemd was forced down my throat by Arch Linux. I didn't know anything about the controversy back then, so I just thought: "There's probably a good reason for this, let's get to work".
I read some docs and I liked the security features a lot! You can tighten services easily with a declarative syntax.
Here's a snippet from my ntpdate.service file. You don't need much systemd knowledge to guess at what each line does:
PrivateTmp=true
ReadOnlyDirectories=/
InaccessibleDirectories=/boot
InaccessibleDirectories=/root
InaccessibleDirectories=/etc/ssh
LimitNPROC=1
DeviceAllow=/dev/null rw
DeviceAllow=/dev/urandom r
User=nobody
Group=nobody
CapabilityBoundingSet=CAP_SYS_TIME
NoNewPrivileges=true
I ended up enjoying that work and tightened things so much that I hit a bug, which was resolved in just a few days: https://bugs.freedesktop.org/s...
But I still don't know how to configure the network properly T_T
...is worth a pound of cure. Install Firefox, AdblockPlus, maybe even NoScript if you wanna be hardcore, and 99% of malware is blocked in its tracks. Block the ability to download executable files and you'll be very close to 100%. No grandpa, you don't really need to install videoplayer.exe to see that porn clip.
Who has the time to hand-pick all the relevant tags for every file they download? Yeah, me neither.
Finding time to put things in their own directory, and not dumping them all in "downloads", is a great accomplishment.
However finding a meaningful, hierarchical structure is non-trivial. I'm still working on it.