Skip to content

Additional systemd service hardening #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Additional systemd service hardening #11

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions dovecot.service.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,10 @@ ExecReload=@bindir@/doveadm reload
ExecStop=@bindir@/doveadm stop
PrivateTmp=true
NonBlocking=yes
# Enable this if your systemd is new enough to support it:
#ProtectSystem=full
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might lack some caps.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any thoughts on what caps may be missing?

And what makes you think there may be some missing? Is there a problem that you see when you use this service unit?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll test these.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NoNewPrivileges prevents UID changes, and we need to do UID changes. I need to adapt this.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cmouse I don't think NoNewPrivileges prevents UID changes - it prevents increasing privileges once they've been lost. If, for example, dovecot starts as root, then drops privileges and changes UID to dovecot, that would be fine. If, on the other hand, dovecot starts as root, then drops privileges and changes UID to dovecot, then tries to regain dropped privileges, then NoNewPrivileges would block that.

I'm curious - is there a problem that you're seeing? I'd be really interested in knowing what the problem may be.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have not yet properly tried it, but in some cases some dovecot processes need to change their EUID to some user, and then back to root, and again to some other user. I'll try this out with this systemd unit and see if it really works.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After testing it, it was missing CAP_SYS_RESOURCE. Seems that NoNewPrivileges at least initially works with environment with multiple UIDs for users.

Sep 19 09:03:52 cypher dovecot[10585]: master: Error: setrlimit(RLIMIT_NPROC, 4390): Operation not permitted


[Install]
WantedBy=multi-user.target