Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Fedora 40 ikukonzekera kuyambitsa kudzipatula kwautumiki

Fedora 40 ikukonzekera kuyambitsa kudzipatula kwautumiki

Kutulutsidwa kwa Fedora 40 kumapereka mwayi wokhazikitsa makonda odzipatula a machitidwe a systemd omwe amathandizidwa mwachisawawa, komanso ntchito zokhala ndi zovuta monga PostgreSQL, Apache httpd, Nginx, ndi MariaDB. Zikuyembekezeka kuti kusinthaku kudzawonjezera kwambiri chitetezo chagawidwe mu kasinthidwe kosasintha ndikupangitsa kuti zitheke kuletsa zofooka zosadziwika muutumiki wadongosolo. Pempholi silinaganizidwebe ndi FESCo (Fedora Engineering Steering Committee), yomwe imayang'anira gawo laukadaulo la chitukuko cha kugawa kwa Fedora. Lingaliro likhoza kukanidwanso panthawi yowunikira anthu.

Zokonda zovomerezeka kuti muyambitse:

  • PrivateTmp=inde - kupereka maulalo osiyana okhala ndi mafayilo osakhalitsa.
  • ProtectSystem=inde/zodzaza/zolimba - khazikitsani fayilo mumayendedwe owerengera okha (munjira "yathunthu" - / etc/, mumayendedwe okhwima - mafayilo onse kupatula / dev/, /proc/ ndi / sys/).
  • ProtectHome=inde-ikukana mwayi wopeza zolemba zapanyumba.
  • PrivateDevices = inde - kusiya mwayi wopita ku / dev / null, / dev / zero ndi / dev / mwachisawawa
  • ProtectKernelTunables=inde - mwayi wowerengera kokha /proc/sys/, /sys/, /proc/acpi, /proc/fs, /proc/irq, ndi zina.
  • ProtectKernelModules=inde - letsani kutsitsa ma module a kernel.
  • ProtectKernelLogs=yes - imaletsa kulowa kwa buffer ndi zipika za kernel.
  • ProtectControlGroups=inde - mwayi wowerenga-okha ku /sys/fs/gulu/
  • NoNewPrivileges=inde - kuletsa kukwezedwa kwamwayi kudzera mu mbendera za setuid, setgid ndi luso.
  • PrivateNetwork=inde - kuyika mu malo osiyana a network stack.
  • ProtectClock=indeβ€”letsani kusintha nthawi.
  • ProtectHostname=yes - imaletsa kusintha dzina la alendo.
  • ProtectProc=invisible - kubisa njira za anthu ena mu /proc.
  • Wogwiritsa = - sinthani wogwiritsa ntchito

Kuphatikiza apo, mungaganizire kuyatsa zokonda zotsatirazi:

  • CapabilityBoundingSet=
  • DevicePolicy=chatsekedwa
  • KeyringMode=zachinsinsi
  • LockPersonality=inde
  • MemoryDenyWriteExecute=inde
  • PrivateUsers=inde
  • RemoveIPC=inde
  • RestrictAddressFamilies=
  • RestrictNamespaces=inde
  • RestrictRealtime=inde
  • RestrictSUIDSGID=inde
  • SystemCallFilter=
  • SystemCallArchitectures=native

Source: opennet.ru

Kuwonjezera ndemanga