[systemd-devel] Use of capabilities in default service files

Tue Jul 21 04:31:32 PDT 2015

Am 21.07.2015 um 13:24 schrieb Florian Weimer:
> On 07/20/2015 02:34 PM, Reindl Harald wrote:
>>
>> Am 20.07.2015 um 13:58 schrieb Florian Weimer:
>>> On 07/20/2015 01:52 PM, Reindl Harald wrote:
>>>>
>>>>
>>>> Am 20.07.2015 um 13:24 schrieb Florian Weimer:
>>>>> CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP
>>>>> m4_ifdef(`HAVE_SMACK', CAP_MAC_ADMIN )
>>>>> …
>>>>> What's the intent of these settings?  Is it a form of hardening?  If
>>>>> yes, it is rather ineffective because UID=0 does not need any
>>>>> capabilities to completely compromise the system.
>>>>
>>>> UID=0 *does* need capabilities,
>>>
>>> drwxr-xr-x. 2 root root   37 Jun 13 10:09 /etc/cron.d
>>> -rw-r--r--. 1 root root 3068 Jul 17 19:47 /etc/passwd
>>>
>>> UID=0 without CAP_DAC_OVERRIDE (or any other capabilities) can write to
>>> these locations and escalate fairly directly to full root.
>>
>> why should it need CAP_DAC_OVERRIDE when it *owns* the files and has
>> write permissions?
>
> Exactly, it's the reason why I suspect something fishy is going on if
> people to harden services running UID=0 by taking away capabilities.

the point of hardening is to make it more difficult that a machine could 
get owned with a exploit - there is no 100% secure - you just want make 
things as difficult as possible

>> chown the file to a different user and root no longer
>> can write there
>>
>> to protect /etc and /usr "ReadOnlyDirectories" is the way to go
>> ReadOnlyDirectories=/etc
>> ReadOnlyDirectories=/usr
>
> Then you still have instant root through:

have fun on our httpd............. and no, i did not add 
"InaccessibleDirectories=-/var/spool" now, it's there for years

[Unit]
Description=Apache Webserver
After=network.service systemd-networkd.service network-online.target 
mysqld.service

[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/httpd
Environment="PATH=/usr/bin:/usr/sbin"
ExecStart=/usr/sbin/httpd $OPTIONS -D FOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
Restart=always
RestartSec=1
UMask=006

PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE 
CAP_SETGID CAP_SETUID
RestrictAddressFamilies=~AF_APPLETALK AF_ATMPVC AF_AX25 AF_IPX 
AF_NETLINK AF_PACKET AF_X25
SystemCallArchitectures=x86-64

ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
ReadWriteDirectories=-/var/lib/smokeping

InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/media
InaccessibleDirectories=-/root
InaccessibleDirectories=-/etc/dbus-1
InaccessibleDirectories=-/etc/modprobe.d
InaccessibleDirectories=-/etc/modules-load.d
InaccessibleDirectories=-/etc/postfix
InaccessibleDirectories=-/etc/ssh
InaccessibleDirectories=-/etc/sysctl.d
InaccessibleDirectories=-/run/console
InaccessibleDirectories=-/run/dbus
InaccessibleDirectories=-/run/lock
InaccessibleDirectories=-/run/mount
InaccessibleDirectories=-/run/systemd/generator
InaccessibleDirectories=-/run/systemd/system
InaccessibleDirectories=-/run/systemd/users
InaccessibleDirectories=-/run/udev
InaccessibleDirectories=-/run/user
InaccessibleDirectories=-/usr/lib64/dbus-1
InaccessibleDirectories=-/usr/lib64/xtables
InaccessibleDirectories=-/usr/lib/dracut
InaccessibleDirectories=-/usr/libexec/iptables
InaccessibleDirectories=-/usr/libexec/openssh
InaccessibleDirectories=-/usr/libexec/postfix
InaccessibleDirectories=-/usr/lib/grub
InaccessibleDirectories=-/usr/lib/kernel
InaccessibleDirectories=-/usr/lib/modprobe.d
InaccessibleDirectories=-/usr/lib/modules
InaccessibleDirectories=-/usr/lib/modules-load.d
InaccessibleDirectories=-/usr/lib/rpm
InaccessibleDirectories=-/usr/lib/sysctl.d
InaccessibleDirectories=-/usr/lib/udev
InaccessibleDirectories=-/usr/local/scripts
InaccessibleDirectories=-/var/db
InaccessibleDirectories=-/var/lib/dbus
InaccessibleDirectories=-/var/lib/dnf
InaccessibleDirectories=-/var/lib/rpm
InaccessibleDirectories=-/var/lib/systemd
InaccessibleDirectories=-/var/lib/yum
InaccessibleDirectories=-/var/spool

[Install]
WantedBy=multi-user.target

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150721/bd04895a/attachment.sig>