systemd hardening for INN
eagle at eyrie.org
Mon Nov 30 01:48:05 UTC 2020
Julien ÉLIE <julien at trigofacile.com> writes:
>> I'm still testing, but in early experiments the following systemd service
>> unit seems to work for starting INN while applying considerably more
>> protections than the sample one included in the source tree. (This is
>> using Debian package paths.)
> Any improvement since your last mail in August?
Nope, it seems to be working well on Debian stable.
>> Setting NoNewPrivileges will break most local sendmail implementations
>> because they're setuid or setgid to drop off mail in the mail queue.
>> With this configuration, I'm using mSMTP as the configured mta, set to
>> forward mail via SMTP to localhost.
> So maybe this setting should be commented out in the sample.
Yes, what you committed looks great to me. Thanks!
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.
More information about the inn-workers