On Mon, 03 Jul 2023 at 20:21:20 +0100, RL wrote: > (One of the issues for services that send email is that it is very > easy to break exim)
It's also very easy to break anything else that relies on running a setuid/setgid/setcap executable (including many mail delivery agents, not just Exim), as the maintainers of systemd-cron already discovered. More generally, systemd's hardening features are a lot like AppArmor: great for services that have no business executing arbitrary code and would be simple to put in a minimal container (for example most game servers), but difficult or even impossible to use successfully for services that are expected to be allowed to execute arbitrary code via plugins, hooks or configuration. For example, dbus-daemon can only usefully have hardening applied if it was built with traditional (non-systemd) service activation disabled, which we cannot usefully do in Debian for two reasons: because we support non-systemd init systems, and because we don't (currently) require every D-Bus system service to have a corresponding systemd system unit. Because of the way traditional activation works, a child process of a setuid-root helper that is run by dbus-daemon must be allowed to exercise any privilege that might legitimately be needed by any D-Bus-activated system service, which rules out otherwise useful things like ProtectSystem. smcv