systemd hardening for INN
Julien ÉLIE
julien at trigofacile.com
Sun Nov 8 20:22:41 UTC 2020
Hi Russ,
> I'm still testing, but in early experiments the following systemd service
> unit seems to work for starting INN while applying considerably more
> protections than the sample one included in the source tree. (This is
> using Debian package paths.)
[...]
> AmbientCapabilities=CAP_NET_BIND_SERVICE
> NoNewPrivileges=true
> PrivateDevices=true
> PrivateTmp=true
> ProtectControlGroups=true
> ProtectHome=true
> ProtectKernelModules=true
> ProtectKernelTunables=true
> ProtectSystem=full
> RuntimeDirectory=news
[...]
Any improvement since your last mail in August?
> Setting NoNewPrivileges will break most local sendmail implementations
> because they're setuid or setgid to drop off mail in the mail queue. With
> this configuration, I'm using mSMTP as the configured mta, set to forward
> mail via SMTP to localhost.
So maybe this setting should be commented out in the sample.
--
Julien ÉLIE
« Ce n'est pas en tournant le dos aux choses qu'on leur fait face. »
(Pierre Dac)
More information about the inn-workers
mailing list