systemd hardening for INN

Russ Allbery eagle at eyrie.org
Mon Nov 30 01:48:05 UTC 2020


Julien ÉLIE <julien at trigofacile.com> writes:

>> I'm still testing, but in early experiments the following systemd service
>> unit seems to work for starting INN while applying considerably more
>> protections than the sample one included in the source tree.  (This is
>> using Debian package paths.)
> [...]
>> AmbientCapabilities=CAP_NET_BIND_SERVICE
>> NoNewPrivileges=true
>> PrivateDevices=true
>> PrivateTmp=true
>> ProtectControlGroups=true
>> ProtectHome=true
>> ProtectKernelModules=true
>> ProtectKernelTunables=true
>> ProtectSystem=full
>> RuntimeDirectory=news
> [...]

> Any improvement since your last mail in August?

Nope, it seems to be working well on Debian stable.

>> Setting NoNewPrivileges will break most local sendmail implementations
>> because they're setuid or setgid to drop off mail in the mail queue.
>> With this configuration, I'm using mSMTP as the configured mta, set to
>> forward mail via SMTP to localhost.

> So maybe this setting should be commented out in the sample.

Yes, what you committed looks great to me.  Thanks!

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <https://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list