On Mon, 03 Jul 2023 at 20:21:20 +0100, RL wrote:
> (One of the issues for services that send email is that it is very
> easy to break exim)
It's also very easy to break anything else that relies on running a
setuid/setgid/setcap executable (including many mail delivery agents,
not just Exim), as the maintainers of systemd-cron already discovered.
More generally, systemd's hardening features are a lot like AppArmor:
great for services that have no business executing arbitrary code and
would be simple to put in a minimal container (for example most game
servers), but difficult or even impossible to use successfully for
services that are expected to be allowed to execute arbitrary code via
plugins, hooks or configuration.
For example, dbus-daemon can only usefully have hardening applied if it
was built with traditional (non-systemd) service activation disabled,
which we cannot usefully do in Debian for two reasons: because we support
non-systemd init systems, and because we don't (currently) require
every D-Bus system service to have a corresponding systemd system unit.
Because of the way traditional activation works, a child process of a
setuid-root helper that is run by dbus-daemon must be allowed to exercise
any privilege that might legitimately be needed by any D-Bus-activated
system service, which rules out otherwise useful things like ProtectSystem.
smcv
