systemd hardening for INN
Russ Allbery
eagle at eyrie.org
Sat Aug 22 22:02:51 UTC 2020
I'm still testing, but in early experiments the following systemd service
unit seems to work for starting INN while applying considerably more
protections than the sample one included in the source tree. (This is
using Debian package paths.)
[Unit]
Description=InterNetNews News Server
After=network.target
[Service]
Type=forking
ExecStart=/usr/lib/news/bin/rc.news
ExecReload=/usr/sbin/ctlinnd -t 20 reload '' 'systemd unit reload'
ExecStop=/usr/lib/news/bin/rc.news stop
PIDFile=/run/news/innd.pid
User=news
Group=news
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RuntimeDirectory=news
[Install]
WantedBy=multi-user.target
Setting NoNewPrivileges will break most local sendmail implementations
because they're setuid or setgid to drop off mail in the mail queue. With
this configuration, I'm using mSMTP as the configured mta, set to forward
mail via SMTP to localhost.
One can probably do better than this by adding some syscall filtering. I
haven't tried experimenting with that yet.
--
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.
More information about the inn-workers
mailing list