systemd hardening for INN

Julien ÉLIE julien at trigofacile.com
Sun Nov 8 20:22:41 UTC 2020


Hi Russ,

> I'm still testing, but in early experiments the following systemd service
> unit seems to work for starting INN while applying considerably more
> protections than the sample one included in the source tree.  (This is
> using Debian package paths.)
[...]
> AmbientCapabilities=CAP_NET_BIND_SERVICE
> NoNewPrivileges=true
> PrivateDevices=true
> PrivateTmp=true
> ProtectControlGroups=true
> ProtectHome=true
> ProtectKernelModules=true
> ProtectKernelTunables=true
> ProtectSystem=full
> RuntimeDirectory=news
[...]

Any improvement since your last mail in August?


> Setting NoNewPrivileges will break most local sendmail implementations
> because they're setuid or setgid to drop off mail in the mail queue.  With
> this configuration, I'm using mSMTP as the configured mta, set to forward
> mail via SMTP to localhost.

So maybe this setting should be commented out in the sample.

-- 
Julien ÉLIE

« Ce n'est pas en tournant le dos aux choses qu'on leur fait face. »
   (Pierre Dac)


More information about the inn-workers mailing list