systemd hardening for INN

Russ Allbery eagle at
Mon Nov 30 01:48:05 UTC 2020

Julien ÉLIE <julien at> writes:

>> I'm still testing, but in early experiments the following systemd service
>> unit seems to work for starting INN while applying considerably more
>> protections than the sample one included in the source tree.  (This is
>> using Debian package paths.)
> [...]
>> AmbientCapabilities=CAP_NET_BIND_SERVICE
>> NoNewPrivileges=true
>> PrivateDevices=true
>> PrivateTmp=true
>> ProtectControlGroups=true
>> ProtectHome=true
>> ProtectKernelModules=true
>> ProtectKernelTunables=true
>> ProtectSystem=full
>> RuntimeDirectory=news
> [...]

> Any improvement since your last mail in August?

Nope, it seems to be working well on Debian stable.

>> Setting NoNewPrivileges will break most local sendmail implementations
>> because they're setuid or setgid to drop off mail in the mail queue.
>> With this configuration, I'm using mSMTP as the configured mta, set to
>> forward mail via SMTP to localhost.

> So maybe this setting should be commented out in the sample.

Yes, what you committed looks great to me.  Thanks!

Russ Allbery (eagle at             <>

    Please send questions to the list rather than mailing me directly.
     <> explains why.

More information about the inn-workers mailing list