Bug#816446: nginx: Please use systemd confinement features

2016-04-05 Thread Nicolas Braud-Santoni
On Thu, Mar 31, 2016 at 10:14:20AM +0300, Christos Trochalakis wrote: > I also believe it makes sense to enable the security features for > systemd users. `ProtectHome` is a bit tricky as it could possibly break > some setups, we could use `read-only` there. > > Currently we are a bit overwhelmed

Bug#816446: nginx: Please use systemd confinement features

2016-03-31 Thread Christos Trochalakis
Hello all, On Wed, Mar 30, 2016 at 07:40:24PM +0200, Moritz Muehlenhoff wrote: On Tue, Mar 01, 2016 at 02:35:39PM -0800, Michael Lustfield wrote: Control: tags -1 + wontfix I have three significant issues with adding systemd confinement to nginx out of the box: I disagree with these: 1)

Bug#816446: nginx: Please use systemd confinement features

2016-03-30 Thread Moritz Muehlenhoff
On Tue, Mar 01, 2016 at 02:35:39PM -0800, Michael Lustfield wrote: > Control: tags -1 + wontfix > > I have three significant issues with adding systemd confinement to > nginx out of the box: I disagree with these: > 1) This will introduce significant differences between debian servers >

Bug#816446: nginx: Please use systemd confinement features

2016-03-01 Thread Nicolas Braud-Santoni
Control: retitle -1 nginx: Please mention systemd confinement features in the documentation Control: tags -1 - wontfix On Tue, Mar 01, 2016 at 02:35:39PM -0800, Michael Lustfield wrote: > I have three significant issues with adding systemd confinement to > nginx out of the box: They are all

Bug#816446: nginx: Please use systemd confinement features

2016-03-01 Thread Nicolas Braud-Santoni
Oops, the comments were not meant to be in French: > # CAP_KILL : Nginx signals its child processes that have a different UID > # CAP_SETUID CAP_SETGID : Nginx drops privileges > # CAP_NET_BIND_SERVICE : Nginx clearly listens to ports <1024 > # CAP_SYSLOG : Nginx sends logs to syslog >

Bug#816446: nginx: Please use systemd confinement features

2016-03-01 Thread Michael Lustfield
Control: tags -1 + wontfix I have three significant issues with adding systemd confinement to nginx out of the box: 1) This will introduce significant differences between debian servers running systemd and every single other init system that debian supports. 2) Anyone using systemd would have

Bug#816446: nginx: Please use systemd confinement features

2016-03-01 Thread nicolas
Source: nginx Severity: wishlist Dear Maintainer, Nginx can be confined using features from systemd.exec(5). This can be very helpful in mitigating a potential compromise of the service. Please consider enabling those security features in future versions of the package. Here is a (commented)