ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > Fedora 40 npaj yuav pab kom muaj kev pabcuam cais tawm

Fedora 40 npaj yuav pab kom muaj kev pabcuam cais tawm

Fedora 40 tso tawm qhia txog kev ua kom muaj kev sib cais rau cov kev pabcuam systemd uas tau qhib los ntawm lub neej ntawd, nrog rau cov kev pabcuam nrog cov haujlwm tseem ceeb xws li PostgreSQL, Apache httpd, Nginx, thiab MariaDB. Nws cia siab tias qhov kev hloov pauv yuav ua rau muaj kev ruaj ntseg ntawm kev faib tawm hauv qhov kev teeb tsa ua ntej thiab yuav ua rau nws tuaj yeem thaiv qhov tsis paub qhov tsis zoo hauv cov kev pabcuam. Lub tswv yim tseem tsis tau raug txiav txim siab los ntawm FESCo (Fedora Engineering Steering Committee), uas yog lub luag haujlwm rau kev tsim kho ntawm Fedora faib. Ib qhov kev pom zoo kuj yuav raug tsis lees paub thaum lub sij hawm soj ntsuam hauv zej zog.

Pom zoo nqis los pab:

  • PrivateTmp = yog - muab cais cov npe nrog cov ntaub ntawv ib ntus.
  • ProtectSystem = yog / tag nrho / nruj β€” mount cov ntaub ntawv kaw lus nyob rau hauv hom nyeem nkaus xwb (hauv "tag nrho" hom - /etc/, hauv hom nruj - tag nrho cov ntaub ntawv systems tshwj tsis yog /dev/, /proc/ thiab /sys/).
  • ProtectHome = yog - tsis kam nkag mus rau cov neeg siv cov npe hauv tsev.
  • PrivateDevices = yog - tawm mus rau /dev/null, /dev/zero thiab /dev/random
  • ProtectKernelTunables = yog - nyeem nkaus xwb rau /proc/sys/, /sys/, /proc/acpi, /proc/fs, /proc/irq, thiab lwm yam.
  • ProtectKernelModules = yog - txwv tsis pub thauj cov kernel modules.
  • ProtectKernelLogs = yog - txwv tsis pub nkag mus rau qhov tsis nrog cov ntawv teev npe.
  • ProtectControlGroups = yog - nyeem nkaus xwb rau /sys/fs/cgroup/
  • NoNewPrivileges = yog - txwv tsis pub nce ntawm cov cai los ntawm kev teeb tsa, teeb tsa thiab lub peev xwm chij.
  • PrivateNetwork = yog - tso rau hauv ib lub npe cais ntawm pawg network.
  • ProtectClock = yog - txwv tsis pub hloov lub sijhawm.
  • ProtectHostname = yog - txwv tsis pub hloov lub npe tswv.
  • ProtectProc=invisible - zais lwm tus neeg cov txheej txheem hauv /proc.
  • User = - hloov tus neeg siv

Tsis tas li ntawd, koj tuaj yeem xav txog kev ua kom cov kev teeb tsa hauv qab no:

  • CapabilityBoundingSet =
  • DevicePolicy = kaw
  • KeyringMode = tus kheej
  • LockPersonality = yog
  • MemoryDenyWriteExecute=yes
  • PrivateUsers = yog
  • RemoveIPC = yog
  • RestrictAddressFamilies=
  • RestrictNamespaces=yog
  • RestrictRealtime = yog
  • RestrictSUIDSGID=yog
  • SystemCallFilter =
  • SystemCallArchitectures = haiv

Tau qhov twg los: opennet.ru

Ntxiv ib saib