From 4f6539b31dfc38e7ad3e639278c3e3c3b1509dad Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Fri, 7 Dec 2018 21:54:44 +0100 Subject: [PATCH] Introduce systemd.exec restrictions for better security --- .../system/dovecot.service.d/custom.conf | 17 +++++++++++++++++ .../system/mariadb.service.d/custom.conf | 16 ++++++++++++++++ etc/systemd/system/nginx.service.d/custom.conf | 14 ++++++++++++++ etc/systemd/system/php7.3-fpm@.service | 14 ++++++++++++++ etc/systemd/system/php7.3-fpm@default.service | 16 ++++++++++++++++ .../system/postfix.service.d/custom.conf | 15 +++++++++++++++ .../system/postfix@.service.d/custom.conf | 15 +++++++++++++++ etc/systemd/system/vsftpd.service.d/custom.conf | 13 +++++++++++++ 8 files changed, 120 insertions(+) create mode 100644 etc/systemd/system/dovecot.service.d/custom.conf create mode 100644 etc/systemd/system/postfix.service.d/custom.conf create mode 100644 etc/systemd/system/postfix@.service.d/custom.conf create mode 100644 etc/systemd/system/vsftpd.service.d/custom.conf diff --git a/etc/systemd/system/dovecot.service.d/custom.conf b/etc/systemd/system/dovecot.service.d/custom.conf new file mode 100644 index 0000000..0ef4191 --- /dev/null +++ b/etc/systemd/system/dovecot.service.d/custom.conf @@ -0,0 +1,17 @@ +[Service] +LimitNOFILE=100000 +ProtectSystem=strict +PrivateTmp=true +NoNewPrivileges=true +PrivateDevices=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +LockPersonality=true +MemoryDenyWriteExecute=true +SystemCallArchitectures=native +BindPaths=/run/dovecot/ +BindPaths=/var/run/dovecot/ +BindPaths=/var/lib/dovecot/ +InaccessiblePaths=/var/www/ +InaccessiblePaths=/root/ diff --git a/etc/systemd/system/mariadb.service.d/custom.conf b/etc/systemd/system/mariadb.service.d/custom.conf index 50596c3..9beeab5 100644 --- a/etc/systemd/system/mariadb.service.d/custom.conf +++ b/etc/systemd/system/mariadb.service.d/custom.conf @@ -1,2 +1,18 @@ [Service] LimitNOFILE=100000 +ProtectSystem=strict +PrivateTmp=true +NoNewPrivileges=true +ProtectHome=true +PrivateDevices=true +PrivateUsers=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +LockPersonality=true +SystemCallArchitectures=native +BindPaths=/var/log/mysql/ +BindPaths=/var/lib/mysql/ +BindPaths=/var/run/mysqld/ +BindPaths=/run/mysqld/ +InaccessiblePaths=/var/www/ diff --git a/etc/systemd/system/nginx.service.d/custom.conf b/etc/systemd/system/nginx.service.d/custom.conf index a5169e0..722eec4 100644 --- a/etc/systemd/system/nginx.service.d/custom.conf +++ b/etc/systemd/system/nginx.service.d/custom.conf @@ -6,3 +6,17 @@ ExecStop=-/sbin/start-stop-daemon --quiet --stop --pidfile /run/nginx.pid ExecStartPre= ExecStartPre=/usr/bin/install -Z -m 02755 -o www-data -g www-data -d /var/run/nginx ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' +ProtectSystem=strict +PrivateTmp=true +NoNewPrivileges=true +PrivateDevices=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +LockPersonality=true +SystemCallArchitectures=native +BindPaths=/var/log/nginx/ +BindPaths=/var/lib/nginx/ +BindPaths=/var/run/ +BindPaths=/run/ +InaccessiblePaths=/root/ diff --git a/etc/systemd/system/php7.3-fpm@.service b/etc/systemd/system/php7.3-fpm@.service index a530c5c..8bcd303 100644 --- a/etc/systemd/system/php7.3-fpm@.service +++ b/etc/systemd/system/php7.3-fpm@.service @@ -12,6 +12,20 @@ ExecStart=/usr/sbin/php-fpm7.3 --nodaemonize --fpm-config /etc/php/7.3/fpm/php-f ExecReload=/bin/kill -USR2 $MAINPID LimitNOFILE=100000 TimeoutStartSec=300 +ProtectSystem=strict +PrivateTmp=true +# sendmail requires it... enable once chrooted +#NoNewPrivileges=true +PrivateDevices=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +LockPersonality=true +SystemCallArchitectures=native +BindPaths=/var/log/ +BindPaths=/var/run/php/ +BindPaths=/run/php/ +InaccessiblePaths=/root/ [Install] WantedBy=multi-user.target diff --git a/etc/systemd/system/php7.3-fpm@default.service b/etc/systemd/system/php7.3-fpm@default.service index e231ab4..60fe78b 100644 --- a/etc/systemd/system/php7.3-fpm@default.service +++ b/etc/systemd/system/php7.3-fpm@default.service @@ -12,6 +12,22 @@ ExecStart=/usr/sbin/php-fpm7.3 --nodaemonize --fpm-config /etc/php/7.3/fpm/php-f ExecReload=/bin/kill -USR2 $MAINPID LimitNOFILE=100000 TimeoutStartSec=300 +ProtectSystem=strict +PrivateTmp=true +# sendmail requires it... enable once chrooted +#NoNewPrivileges=true +PrivateDevices=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +LockPersonality=true +SystemCallArchitectures=native +BindPaths=/var/log/ +BindPaths=/var/run/php/ +BindPaths=/run/php/ +BindPaths=/var/lib/php/sessions +BindPaths=/var/local/squirrelmail/ +InaccessiblePaths=/root/ [Install] WantedBy=multi-user.target diff --git a/etc/systemd/system/postfix.service.d/custom.conf b/etc/systemd/system/postfix.service.d/custom.conf new file mode 100644 index 0000000..c005cc6 --- /dev/null +++ b/etc/systemd/system/postfix.service.d/custom.conf @@ -0,0 +1,15 @@ +[Service] +ProtectSystem=strict +PrivateTmp=true +NoNewPrivileges=true +PrivateDevices=true +#PrivateUsers=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +LockPersonality=true +MemoryDenyWriteExecute=true +SystemCallArchitectures=native +BindPaths=/var/spool/ +BindPaths=/var/lib/postfix/ +InaccessiblePaths=/var/www/ diff --git a/etc/systemd/system/postfix@.service.d/custom.conf b/etc/systemd/system/postfix@.service.d/custom.conf new file mode 100644 index 0000000..dd0c93e --- /dev/null +++ b/etc/systemd/system/postfix@.service.d/custom.conf @@ -0,0 +1,15 @@ +[Service] +ProtectSystem=strict +PrivateTmp=true +NoNewPrivileges=true +PrivateDevices=true +#PrivateUsers=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +LockPersonality=true +MemoryDenyWriteExecute=true +SystemCallArchitectures=native +BindPaths=/var/spool/ +BindPaths=/var/lib/ +InaccessiblePaths=/var/www/ diff --git a/etc/systemd/system/vsftpd.service.d/custom.conf b/etc/systemd/system/vsftpd.service.d/custom.conf new file mode 100644 index 0000000..84170f2 --- /dev/null +++ b/etc/systemd/system/vsftpd.service.d/custom.conf @@ -0,0 +1,13 @@ +[Service] +ProtectSystem=strict +PrivateTmp=true +NoNewPrivileges=true +PrivateDevices=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +LockPersonality=true +MemoryDenyWriteExecute=true +SystemCallArchitectures=native +InaccessiblePaths=/var/www/ +InaccessiblePaths=/root/