From 599b8317f2a518fb3cf7c30cea9afc083c9d252c Mon Sep 17 00:00:00 2001 From: Tommy Date: Thu, 28 Sep 2023 05:39:50 -0700 Subject: [PATCH] Wording fix (#162) * Wording fix Signed-off-by: Tommy Co-authored-by: wj25czxj47bu6q <96372288+wj25czxj47bu6q@users.noreply.github.com> --- content/posts/linux/Desktop Linux Hardening.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index 54b01ff..a943331 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -247,7 +247,7 @@ firewall-cmd --add-service=dhcpv6-client --permanent firewall-cmd --reload ``` -On some distributions, it may be possible for unauthorized users or applications to make firewall changes through polkit. To disable this, enable firewalld _lockdown mode_ with `sudo firewall-cmd --lockdown-on`. +On some distributions, it may be possible for applications running as a `wheel` or `sudo` user to make firewall changes through polkit. To prevent this, enable firewalld _lockdown mode_ with `sudo firewall-cmd --lockdown-on`. These firewalls use the [netfilter](https://netfilter.org/) framework and therefore cannot (without the help of strict [mandatory access control](#mandatory-access-control)) protect against malicious software running privileged on the system, which can insert their own routing rules that sidestep firewalld/ufw.