Bug#921812: mldonkey-server: Add systemd service file for better security
Hi Mehdi, Thank you for considering the patch. On 1/17/21 04:27, Mehdi Dogguy wrote: [...] I have a doubt about which systemd features to enable by default though. I can see thath Fedora/RedHat enabled really a few, as you can see in [1]. For this reason, I'll ask for advice from Michael (systemd's maintainer). Michael, Sunil here is proposing a .service file for mldonkey-server. I am wondering if we should aim for a simplistic approach as in [1] or if we should enable by default features proposed by Sunil in his patch (see below). What do you think? What would be your recommendation? [1] https://src.fedoraproject.org/rpms/mldonkey/blob/2a45ff06778cadc4d58435ca1e7187396012c6f1/f/mldonkey.service Debian wiki[1][2] and upstream[3][4] has some resources that could help with deciding security sandboxing features. Let me know if an explanation of the features in mldonkey context would be helpful. Links: 1) https://wiki.debian.org/Teams/pkg-systemd/Packaging 2) https://wiki.debian.org/ServiceSandboxing 3) http://0pointer.net/public/systemd-nluug-2014.pdf 4) http://ftp.nluug.nl/video/nluug/2014-11-20_nj14/zaal-2/5_Lennart_Poettering_-_Systemd.webm Thanks, -- Sunil OpenPGP_0x36C361440C9BC971.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Bug#921812: mldonkey-server: Add systemd service file for better security
Package: mldonkey-server Version: 3.1.6-1+b1 Severity: wishlist Tags: patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Maintainer, It would nice to have a systemd service file for starting/stopping the daemon. It would avoid problems like #920466 and improve security due various restrictions that systemd can place. Attached is service file that we have tested for some simple operations. It lets the log get collected by journald on systems running systemd allowing for better log rotation too. Thanks, - -- Sunil - -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IN.UTF-8, LC_CTYPE=en_IN.UTF-8 (charmap=UTF-8), LANGUAGE=en_IN.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages mldonkey-server depends on: ii adduser3.118 ii debconf [debconf-2.0] 1.5.70 ii libbz2-1.0 1.0.6-9 ii libc6 2.28-5 ii libgcc11:8.2.0-14 ii libgd3 2.2.5-5 ii libjpeg62-turbo1:1.5.2-2+b1 ii libpng16-161.6.36-2 ii libstdc++6 8.2.0-14 ii lsb-base 10.2018112800 ii mime-support 3.61 ii ucf3.0038+nmu1 ii zlib1g 1:1.2.11.dfsg-1 mldonkey-server recommends no packages. mldonkey-server suggests no packages. -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEE5xPDY9ZyWnWupXSBQ+oc/wqnxfIFAlxeN80RHHN1bmlsQG1l ZGhhcy5vcmcACgkQQ+oc/wqnxfI/FQ//ehnR13Ji5Up0G/onwHyarHM+Fd5whjmn +clBJG28zX42ttgvFfbYokpEF6hoa0UeojNCKUayAlZIP+hK4opDv6u6dCABIr7H hJczQt+sVgumRmzwXtxEQIzgz1cz60CGxSo9QTJprFm5Lq+ZdoaTPczruaOUDMGA 5/6slk4QTiAD8mYwArH1ajGEj0qkea/A5YZjvMXjwpckXGqzwuaoiR6ApelNrZYm ZPscdPMHW+eLRUkhNXxbGB2KUCCAiRxRwYpbpdzvesYG7m1OCIw2M6X5rcR0uIcA cBYH2SKkqWo59hy6d5VZ21tGwhdsps4rRK4nFJXYRC64K8IMSOMfRcF6nkgzYugP QAsfLVrgy3PivkRKsoW572gR+ofEqTPX+Lo/+RBJFUCkSYf1JQBZSRPGBDm7veK7 8jyBNDqckXqhDpXbdEmBEvDfyiMpVfTa4Ec3VT0re75+q7Y2IFY2FEzmHoweAyCy LrcjahXZjdjM4QSBPpSnkoaPi+1yWHvlAh2thSFsD7ct2cNHn5dzTg/8qgrdMM0y xAajptd70Cg9j8Twi8U4F/bFV5xxbyjK0GvrDHaGPBeEFt4IClR3BAQRazwZ2mQo FgDomWH1KsSkkllMfg08pz1voDJWyBNdSAnwASTgQ3rI2UiIwz6HbRr/4psWIUuy MIQM+kyuXpU= =H4cX -END PGP SIGNATURE- [Unit] Description=MLDonkey: Multi-protocol, peer-to-peer file sharing server After=syslog.target network.target ConditionPathExists=/var/lib/mldonkey/downloads.ini Documentation=man:mlnet(1) http://mldonkey.sourceforge.net/Main_Page [Service] ExecStart=/usr/bin/mlnet Group=mldonkey LockPersonality=yes NoNewPrivileges=yes PrivateDevices=yes PrivateMounts=yes PrivateTmp=yes PrivateUsers=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict ReadWritePaths=/var/lib/mldonkey RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictRealtime=yes StateDirectory=mldonkey SystemCallArchitectures=native Type=simple User=mldonkey WorkingDirectory=/var/lib/mldonkey [Install] WantedBy=multi-user.target
Bug#920466: mldonkey-server: Init script fails to stop daemon properly
Package: mldonkey-server Version: 3.1.6-1+b1 Severity: normal Tags: patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Maintainer, As part of adding mldonkey into FreedomBox, we noticed that the mldonkey-server does not stop properly. This is because start-stop-daemon is asked to stop based only on the PID file which is owned by non-root user. Making the process match more specific fixes the problem. # start-stop-daemon --stop --pidfile /var/run/mldonkey/mlnet.pid start-stop-daemon: matching only on non-root pidfile /var/run/mldonkey/mlnet.pid is insecure # echo $? 2 # start-stop-daemon --stop --pidfile /var/run/mldonkey/mlnet.pid --exec /usr/bin/mlnet # echo $? 0 I have created a merge request to fix the issue. Tagging this issue with 'patch'. https://salsa.debian.org/ocaml-team/mldonkey/merge_requests/1 - -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IN.UTF-8, LC_CTYPE=en_IN.UTF-8 (charmap=UTF-8), LANGUAGE=en_IN.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages mldonkey-server depends on: ii adduser3.118 ii debconf [debconf-2.0] 1.5.70 ii libbz2-1.0 1.0.6-9 ii libc6 2.28-5 ii libgcc11:8.2.0-14 ii libgd3 2.2.5-5 ii libjpeg62-turbo1:1.5.2-2+b1 ii libpng16-161.6.36-2 ii libstdc++6 8.2.0-14 ii lsb-base 10.2018112800 ii mime-support 3.61 ii ucf3.0038+nmu1 ii zlib1g 1:1.2.11.dfsg-1 mldonkey-server recommends no packages. -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEE5xPDY9ZyWnWupXSBQ+oc/wqnxfIFAlxLhiMRHHN1bmlsQG1l ZGhhcy5vcmcACgkQQ+oc/wqnxfK/1w/9H/vFfCW/N7EM1DkzWkHoNzKtaW/Xn0Ih rJzb7fUyq3LFBexILTMHvgz8d/hPoRFuktgY2Thvq8E546bRB4oYfStXfFO+njXd LkMKEPhyKqTgOfRjCMKVr7QUtBpYN5XBze99esEhIGzg9Al/vZXyBxtz4voFJ2LL R0p/0FlWCT6fXsy3z0T5Mfm0jV4IyC42bh/1MemzR7ATmvc6mL9/TMXV3vZEdX2A OMu+XRkJhown5vQVeC32hfJWreb5J93urVPdHXltXZb5tJjvx9X3tfNAK3i/EEx+ 5aXktK4/TP8BAj/A2uJ6yxf4vE5HFPxrca8ZrX4qcjstHuaB/yGCru2oWaUzkBD5 0RFn5HOtwXI8NXVP6zTIimVQqkoXzeY8SQsSQBToWkxjJchXQ0u9EiijdZM5nDNJ qfJVp/qk6okK9MerP2sNwtHAWyxgOa5iqFrifITmLoJfZrmtkkg4VRs1eYpCGHr9 v9E2wCsKfRp2V/tKzASbxk6Oc7P7iEBWMmQTAmuSmK84k2VvQTwjMy+OCOOeIue5 Gqdwz1+BgpIF4baRgIalYIu9iGHfQBErfY3GLgcdjJx+ketfqZHw3VTlLjCipfUt D/ppP5q4FlHnlb5OraNakVwei1Bdn2wK7UnevjqGcMMYRm5m1YkK3Ci3gUnwz4zv Ruln29zlUD8= =5KnO -END PGP SIGNATURE-