Comments on systemd service sandboxing and security hardening 101

Be civil and read the entire article first. This is not a support forum. Comments from new contributors are moderated. English only.

Leave a comment

Required. Optional. E.g. your homepage, Twitter. or Email required unless anonymous. Not published or shared. Reuse to be recognized as the same commenter.
Plain-text only. Begin lines with a > character to quote.

Caleb Jasik

Questions:

- Is there a similar tool for macOS services? I'm curious if there's possible LaunchDaemon and LaunchAgent plist settings I'm unaware of

- Does it make sense to do this on a mac / a linux laptop v.s. a linux server? A server is much more likely to be running a consistent stack. Of course, anyone who wants to can run a strict set of software on their personal laptop, but I do not as much.

Daniel Aleksandersen

MacOS doesn't have any user-space sandboxing tools. launchd doesn't have anything equivalent to systemd. launchd system daemons can run as a restricted user and group. That gains you some security. You can also set up a chroot, but you need to script that with no help from launchd.

Your personal computer that runs all sorts of random software is more likely to be compromised than a well-secured server. Your laptop also contains more valuable things you want to secure (email, banking, passwords).

I secure services that run on my PC. Anything that accepts external network connections, or parses external data is sandboxed and locked down. E.g. file sharing, sync tools, SSH, and the like. I also run all desktop apps, especially the web browser and Steam games, in sandboxed environments (Flatpak). So, you can secure your PC but it takes effort and you need to be running Linux.

Discussions also happens elsewhere! Read and participate in 5 external discussions (138 comments).