Enable systemd hardening options for named
pemensik at redhat.com
Wed Jan 31 20:47:18 UTC 2018
On Fedora, CAP_DAC_OVERRIDE is not granted to bind, because it might be
dangerous feature. CAP_DAC_READ_SEARCH is a little bit safer, but still
might be unnecessary. It should be possible to run even without it with
careful permission configuration of keys and config files.
I think CAP_SYS_RESOURCE is required to automatically adjust maximum
number of file descriptors/sockets from configuration. But I am not 100%
I recently rejected request to change from Type=forking. Has anyone got
a patch for bind to support Type=notice systemd service? I would like to
get rid of pid file handling, but Type=simple will not work for me.
I am not sure if PrivateDevices=yes can be used by default on Fedora. We
package also named-pkcs11 version, which should be able to access
hardware tokens and accelerators. I doubt it would work with that. I
want them to still work if they worked until now. Normal variant might
use that, chroot already has its own empty /dev.
There is some nice page about this on Fedora wiki:
Dne 15.1.2018 v 18:58 Ludovic Gasc napsal(a):
> (Not sure it's the right mailing-list to discuss about this, tell me if
> it's another one)
> For your information, systemd offers several options to increase the
> security of each daemon based on cgroups, like Docker or rkt.
> example: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Capabilities
> This approach permits to keep the classical Linux distribution daemons
> with simple maintenance actions via apt or yum + the same container
> security as a Docker image.
> A discussion has already started on Debian tracker:
> Based on this proposal, I made a new service override with extra
> security (see below).
> But now, I need your help for two parameters of systemd:
> 1. The list of minimal capabilities needed for bind to run
> correctly: http://man7.org/linux/man-pages/man7/capabilities.7.html
> 2. The list of minimal
> SystemCallFilter: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=
> Where I could find the lists ?
> If you have other ideas to increase the security, I'm interested in:
> My objective is to propose this service file to be integrated in Debian
> and Fedora.
> Thanks for your feedback.
> The service override:
> CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETGID
> SystemCallFilter=~@mount @debug
> Ludovic Gasc (GMLudo)
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com PGP: 65C6C973
More information about the bind-users