systemd hardening for INN
Russ Allbery
eagle at eyrie.org
Mon Nov 30 01:48:05 UTC 2020
Julien ÉLIE <julien at trigofacile.com> writes:
>> I'm still testing, but in early experiments the following systemd service
>> unit seems to work for starting INN while applying considerably more
>> protections than the sample one included in the source tree. (This is
>> using Debian package paths.)
> [...]
>> AmbientCapabilities=CAP_NET_BIND_SERVICE
>> NoNewPrivileges=true
>> PrivateDevices=true
>> PrivateTmp=true
>> ProtectControlGroups=true
>> ProtectHome=true
>> ProtectKernelModules=true
>> ProtectKernelTunables=true
>> ProtectSystem=full
>> RuntimeDirectory=news
> [...]
> Any improvement since your last mail in August?
Nope, it seems to be working well on Debian stable.
>> Setting NoNewPrivileges will break most local sendmail implementations
>> because they're setuid or setgid to drop off mail in the mail queue.
>> With this configuration, I'm using mSMTP as the configured mta, set to
>> forward mail via SMTP to localhost.
> So maybe this setting should be commented out in the sample.
Yes, what you committed looks great to me. Thanks!
--
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.
More information about the inn-workers
mailing list