[systemd-devel] question about SecureBits / NoNewPrivileges
Reindl Harald
h.reindl at thelounge.net
Fri Jul 19 19:06:18 PDT 2013
Hi
i try to secure the Apache-Webserver (mpm-prefork) as much as possible
am i right that with the following settings in the systemd-unit after the child-process
is forked with the "apache" user and the capabilities are reduced as below even a
potential root exploit would have no success? "SecureBits=noroot" fails i guess
because it even disallows the parent-process to run as root after start
SecureBits=noroot-locked
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK
_____________________________________________
[root at srv-rhsoft:~]$ cat /usr/lib/systemd/system/httpd.service
[Unit]
Description=Apache Webserver
After=network.service
[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/httpd
ExecStart=/usr/sbin/httpd $OPTIONS -D FOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
ExecStop=/usr/sbin/httpd $OPTIONS -k graceful-stop
KillSignal=SIGCONT
TimeoutStopSec=2
Restart=always
RestartSec=1
UMask=006
PrivateTmp=yes
SecureBits=noroot-locked
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK
InaccessibleDirectories=/boot
InaccessibleDirectories=/home
InaccessibleDirectories=/root
InaccessibleDirectories=/var/lib/rpm
InaccessibleDirectories=/var/spool
[Install]
WantedBy=multi-user.target
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20130720/1471c384/attachment.pgp>
More information about the systemd-devel
mailing list