Hi i try to secure the Apache-Webserver (mpm-prefork) as much as possible
am i right that with the following settings in the systemd-unit after the child-process is forked with the "apache" user and the capabilities are reduced as below even a potential root exploit would have no success? "SecureBits=noroot" fails i guess because it even disallows the parent-process to run as root after start SecureBits=noroot-locked NoNewPrivileges=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK _____________________________________________ [root@srv-rhsoft:~]$ cat /usr/lib/systemd/system/httpd.service [Unit] Description=Apache Webserver After=network.service [Service] Type=simple EnvironmentFile=-/etc/sysconfig/httpd ExecStart=/usr/sbin/httpd $OPTIONS -D FOREGROUND ExecReload=/usr/sbin/httpd $OPTIONS -k graceful ExecStop=/usr/sbin/httpd $OPTIONS -k graceful-stop KillSignal=SIGCONT TimeoutStopSec=2 Restart=always RestartSec=1 UMask=006 PrivateTmp=yes SecureBits=noroot-locked NoNewPrivileges=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK InaccessibleDirectories=/boot InaccessibleDirectories=/home InaccessibleDirectories=/root InaccessibleDirectories=/var/lib/rpm InaccessibleDirectories=/var/spool [Install] WantedBy=multi-user.target
signature.asc
Description: OpenPGP digital signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
