Package: openntpd
Version: 1:5.7p4-2
Severity: wishlist
Dear Maintainer,
It is possible to use systemd.exec(5) features to confine OpenNTPd.
This is helpful in reducing the potential damage caused by a
compromise of the daemon, beyond the privilege-dropping that
OpenNTPd already performs.
Please consider shipping with the openntpd package a systemd unitfile
which employs those security features.
In particular, it is possible to start the service with reduced
capabilities and in a more contrieved namespace:
> [Service]
> # The service gets its own instance of {/var,}/tmp
> PrivateTmp=true
>
> # Only exposes API pseudo-devices (/dev/null, zero, random, ...)
> PrivateDevices=true
>
> # Makes /usr, /boot and /etc read-only
> ProtectSystem=full
>
> # Prevents access to /home, /root and /run/user
> ProtectHome=true
>
> CapabilityBoundingSet=CAP_SYS_TIME CAP_NET_BIND_SERVICE CAP_SYSLOG
> CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SYS_CHROOT
> NoNewPrivileges=true
It might be possible to avoid giving the daemon CAP_SYS_CHROOT by
starting through systemd-nspawn(1), but I didn't investigate yet.
This would prevent someone gaining root in the chroot from escaping.
Best regards,
nicoo
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openntpd depends on:
ii adduser 3.113+nmu3
ii init-system-helpers 1.28
ii libc6 2.21-9
ii netbase 5.3
openntpd recommends no packages.
openntpd suggests no packages.
-- no debconf information
