Package: dictd Version: 1.13.0+dfsg-1 Severity: normal Tags: patch
It would be good if dictd was configure to use the systemd security features when running on systemd systms. The below are settings that I have tested and found to work. If we had dictd use all the systemd features instead of just running init.d scripts then we could make it a little stricter, we could remove CAP_SETUID CAP_SETGID and CAP_KILL for starters. I know it's close to freeze, but dictd isn't a particularly complex daemon and it won't break things badly if it has a problem. The probability of a system being pwned via dictd is very low but it would be good to get the "systemd-analyze security" score for Debian as low as possible. [Service] CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_KILL CAP_SYS_PTRACE SystemCallFilter=~@mount @cpu-emulation @debug @raw-io @reboot @resources @swap @module @obsolete @clock ProtectSystem=strict ProtectProc=invisible SystemCallArchitectures=native DevicePolicy=closed UMask=077 NoNewPrivileges=true ProtectKernelLogs=true ProtectControlGroups=true ProtectKernelModules=true ProtectSystem=true ProtectHome=true PrivateTmp=true MemoryDenyWriteExecute=true ProtectHostname=true LockPersonality=true RestrictRealtime=true RestrictSUIDSGID=true ProtectClock=true RestrictNamespaces=true RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -- System Information: Debian Release: bookworm/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-5-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Enforcing - Policy name: default Versions of packages dictd depends on: ii adduser 3.131 ii debconf [debconf-2.0] 1.5.82 ii dictzip 1.13.0+dfsg-1 ii init-system-helpers 1.65.2 ii libc6 2.36-8 ii libmaa4 1.4.7-1 ii lsb-base 11.6 ii netbase 6.4 ii sysvinit-utils [lsb-base] 3.06-2 ii ucf 3.0043+nmu1 ii update-inetd 4.52 ii zlib1g 1:1.2.13.dfsg-1 Versions of packages dictd recommends: ii dict [dict-client] 1.13.0+dfsg-1 Versions of packages dictd suggests: ii dict-elements [dictd-dictionary] 20001107-a-9.1 ii dict-foldoc [dictd-dictionary] 20230119-1 ii dict-gcide [dictd-dictionary] 0.48.5+nmu2 ii dict-jargon [dictd-dictionary] 4.4.7-3.1 ii dict-vera [dictd-dictionary] 1:1.24-1 ii dict-wn [dictd-dictionary] 1:3.0-37 -- Configuration Files: /etc/init.d/dictd [Errno 13] Permission denied: '/etc/init.d/dictd' -- debconf information: dictd/run_mode: daemon