Bug#871610: memcached: Please add hardening to systemd .service file.

[Chris Lamb]

Hi Andreas,

> A better approach would be to install the upstream service file.

Sure, hence why I my followed-up to the bug pointing out it was
just a merge so the maintainer was aware. :)

I should have been more explicit throughout. Naturally we should
endeavour to install theirs for all the reasons you suggest.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#871610: memcached: Please add hardening to systemd .service file.

[Andreas Henriksson]

Hi,

Chiming in here because I can send email.

On Tue, Aug 15, 2017 at 05:10:37PM -0700, Chris Lamb wrote:
> Hey David,
> 
> > memcached: Please add hardening to systemd .service file.
> 
> Note that this is merely merging upstream's .service file (which is in the
> orig tarball) into the Debian one.

fwiw, I consider this the wrong approach.

Next time upstream adds more useful stuff, our shipped unit files will
yet again be outdated and missing out on things.

A better approach would be to install the upstream service file.
In case there's a need for debian-specific adaptions of it, then just
use the standard mechanisms and ship a debian/patches/foo.patch file
with the changes you need. (See source format "3.0 (quilt)".)

Upstream systemd is designed in a way that unit files can and should be
maintained upstream instead of in (downstream) distributions. This is to
allow the best possible unit files to be collaboratively created and
reviewed by those who knows the inner details of the code best (while
also avoiding pointless differences between distributions).

You're basically inventing your own (inferior) patch system by doing
it the other way around. See also #850157 for people who want to
explicitly forbid that.

Regards,
Andreas Henriksson

Bug#871610: memcached: Please add hardening to systemd .service file.

[Chris Lamb]

Hey David,

> memcached: Please add hardening to systemd .service file.

Note that this is merely merging upstream's .service file (which is in the
orig tarball) into the Debian one.


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#871610: memcached: Please add hardening to systemd .service file.

[Chris Lamb]

Source: memcached
Version: 1.5.0-1
Severity: wishlist
Tags: patch

Hi,

Please add some hardening features to the systemd .service file. :)

(Patch attached.)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb, Debian Project Leader
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diff --git a/debian/memcached.service b/debian/memcached.service
index fae53a5..f816a93 100644
--- a/debian/memcached.service
+++ b/debian/memcached.service
@@ -6,5 +6,56 @@ Documentation=man:memcached(1)
 [Service]
 ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper 
/etc/memcached.conf
 
+# Set up a new file system namespace and mounts private /tmp and /var/tmp 
directories
+# so this service cannot access the global directories and other processes 
cannot
+# access this service's directories.
+PrivateTmp=true
+
+# Mounts the /usr, /boot, and /etc directories read-only for processes invoked 
by this unit.
+ProtectSystem=full
+
+# Ensures that the service process and all its children can never gain new 
privileges
+NoNewPrivileges=true
+
+# Sets up a new /dev namespace for the executed processes and only adds API 
pseudo devices
+# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY 
subsystem) to it,
+# but no physical devices such as /dev/sda.
+PrivateDevices=true
+
+# Required for dropping privileges and running as a different user
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+
+# Attempts to create memory mappings that are writable and executable at the 
same time,
+# or to change existing memory mappings to become executable are prohibited.
+MemoryDenyWriteExecute=true
+
+# Explicit module loading will be denied. This allows to turn off module load 
and unload
+# operations on modular kernels. It is recommended to turn this on for most 
services that
+# do not need special file systems or extra kernel modules to work.
+ProtectKernelModules=true
+
+# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, 
/proc/latency_stats,
+# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only 
to all processes
+# of the unit. Usually, tunable kernel variables should only be written at 
boot-time, with the
+# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; 
it is hence
+# recommended to turn this on for most services.
+ProtectKernelTunables=true
+
+# The Linux Control Groups (cgroups(7)) hierarchies accessible through 
/sys/fs/cgroup will be
+# made read-only to all processes of the unit. Except for container managers 
no services should
+# require write access to the control groups hierarchies; it is hence 
recommended to turn this on
+# for most services
+ProtectControlGroups=true
+
+# Any attempts to enable realtime scheduling in a process of the unit are 
refused.
+RestrictRealtime=true
+
+# Restricts the set of socket address families accessible to the processes of 
this unit.
+# Protects against vulnerabilities such as CVE-2016-8655
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# Takes away the ability to create or manage any kind of namespace
+RestrictNamespaces=true
+
 [Install]
 WantedBy=multi-user.target