inn-workers Digest, Vol 122, Issue 5

inn-workers-request Sun, 23 Aug 2020 05:01:44 -0700

Send inn-workers mailing list submissions to
        [email protected]


To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
        [email protected]

You can reach the person managing the list at
        [email protected]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."


Today's Topics:

   1. systemd hardening for INN (Russ Allbery)


----------------------------------------------------------------------

Message: 1
Date: Sat, 22 Aug 2020 15:02:51 -0700
From: Russ Allbery <[email protected]>
To: [email protected]
Subject: systemd hardening for INN
Message-ID: <[email protected]>
Content-Type: text/plain

I'm still testing, but in early experiments the following systemd service
unit seems to work for starting INN while applying considerably more
protections than the sample one included in the source tree.  (This is
using Debian package paths.)

[Unit]
Description=InterNetNews News Server
After=network.target

[Service]
Type=forking
ExecStart=/usr/lib/news/bin/rc.news
ExecReload=/usr/sbin/ctlinnd -t 20 reload '' 'systemd unit reload'
ExecStop=/usr/lib/news/bin/rc.news stop
PIDFile=/run/news/innd.pid
User=news
Group=news
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RuntimeDirectory=news

[Install]
WantedBy=multi-user.target

Setting NoNewPrivileges will break most local sendmail implementations
because they're setuid or setgid to drop off mail in the mail queue.  With
this configuration, I'm using mSMTP as the configured mta, set to forward
mail via SMTP to localhost.

One can probably do better than this by adding some syscall filtering.  I
haven't tried experimenting with that yet.

-- 
Russ Allbery ([email protected])             <https://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <https://www.eyrie.org/~eagle/faqs/questions.html> explains why.


------------------------------

Subject: Digest Footer

_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers


------------------------------

End of inn-workers Digest, Vol 122, Issue 5
*******************************************

inn-workers Digest, Vol 122, Issue 5

Reply via email to