Your message dated Mon, 14 Nov 2016 21:18:56 +0000 with message-id <[email protected]> and subject line Bug#816456: fixed in openntpd 1:6.0p1-2 has caused the Debian Bug report #816456, regarding openntpd: Please use systemd sandboxing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 816456: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816456 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: openntpd Version: 1:5.7p4-2 Severity: wishlist Dear Maintainer, It is possible to use systemd.exec(5) features to confine OpenNTPd. This is helpful in reducing the potential damage caused by a compromise of the daemon, beyond the privilege-dropping that OpenNTPd already performs. Please consider shipping with the openntpd package a systemd unitfile which employs those security features. In particular, it is possible to start the service with reduced capabilities and in a more contrieved namespace: > [Service] > # The service gets its own instance of {/var,}/tmp > PrivateTmp=true > > # Only exposes API pseudo-devices (/dev/null, zero, random, ...) > PrivateDevices=true > > # Makes /usr, /boot and /etc read-only > ProtectSystem=full > > # Prevents access to /home, /root and /run/user > ProtectHome=true > > CapabilityBoundingSet=CAP_SYS_TIME CAP_NET_BIND_SERVICE CAP_SYSLOG > CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SYS_CHROOT > NoNewPrivileges=true It might be possible to avoid giving the daemon CAP_SYS_CHROOT by starting through systemd-nspawn(1), but I didn't investigate yet. This would prevent someone gaining root in the chroot from escaping. Best regards, nicoo -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openntpd depends on: ii adduser 3.113+nmu3 ii init-system-helpers 1.28 ii libc6 2.21-9 ii netbase 5.3 openntpd recommends no packages. openntpd suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: openntpd Source-Version: 1:6.0p1-2 We believe that the bug you reported is fixed in the latest version of openntpd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ulises Vitulli <[email protected]> (supplier of updated openntpd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 11 Nov 2016 18:47:56 -0300 Source: openntpd Binary: openntpd Architecture: source amd64 Version: 1:6.0p1-2 Distribution: unstable Urgency: medium Maintainer: Ulises Vitulli <[email protected]> Changed-By: Ulises Vitulli <[email protected]> Description: openntpd - OpenBSD NTP daemon Closes: 736515 791534 791571 816456 825194 844069 Changes: openntpd (1:6.0p1-2) unstable; urgency=medium . * Properly apply patch for compiling at kFreeBSD-*. * Implement some systemd sandboxing and hardening features (Closes: #816456) Thanks NicolasBraud-Santoni. * Reload openntpd once network changes are triggered even on standalone (Closes: #736515). * Debianize manpages, thanks AntoineBeaupré (Closes: #791571, #825194). * Explicity notice constraint certificate verification turned off, due to missing libtls provided by libreSSL (not yet adopted at Debian) (Closes: #791534, #844069). Checksums-Sha1: 654c38dd7d4424da8f91cc094dfc8d0bccbe3146 1945 openntpd_6.0p1-2.dsc 02d3b359fe3659c50345fb0b199649785a026067 14264 openntpd_6.0p1-2.debian.tar.xz aa30864adfa3efbdfce5ae1b6ee8cb968bbbbcd8 5082 openntpd_6.0p1-2_20161114T210947z-00d7f3d9.buildinfo 1b6b696b24b01f553a01a2212fd421c5d76c1318 62604 openntpd_6.0p1-2_amd64.deb Checksums-Sha256: 924d6478511f9ef0d94a9e649b0510ee12f750f83cc73bd737b990691089c0ea 1945 openntpd_6.0p1-2.dsc e4c686da80f34e66079b712e497cd7cb90265ecfd964ae844371ff8b3a083504 14264 openntpd_6.0p1-2.debian.tar.xz a892350ddee861a34e355107bfe8955ec385789daed28890e376bcf5ae7d281a 5082 openntpd_6.0p1-2_20161114T210947z-00d7f3d9.buildinfo 4a3957e5350f3977e90d3b08fc996e963005e8747379bbba0cf806a56a3e0494 62604 openntpd_6.0p1-2_amd64.deb Files: 59b09a3665c0d81fe150f3920f183460 1945 net optional openntpd_6.0p1-2.dsc f13108f0e7d3b56d2dd44a337ff1945a 14264 net optional openntpd_6.0p1-2.debian.tar.xz 00d7f3d987494910da7b9bb243046cd1 5082 net optional openntpd_6.0p1-2_20161114T210947z-00d7f3d9.buildinfo 5806abc3cdc6da7ac4cbe1519b01c8e6 62604 net optional openntpd_6.0p1-2_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpse4i5WDBGoRxUA+CwD7bOvi0AIFAlgqKE4ACgkQCwD7bOvi 0AJ0Qw//WRBfTXf0m0UteKb12x9S8oYDfjTmSuYITfrfZqkRG6xspmnYCdJJ1aJ/ xCZFzey8wqtw2U7i4CV5wFXyS/KiQ8+4hrwhmovJ2Pgb3BETwCbRy31mfMG+F7Ev x/t7dB75ylhigUXjn9VsQqIIl0i1jwepZfHvVYlQUVxexO3+Ewpin88/kZcvlf0G asLH4bZxqhZ3BFGXED6Q19vnifGC/Wwbkm1N90pd00UXt6zLI2C3J+q45PUVwfNV /N3+PNJbwPTjikA4RE0iNso7VDJLFzCmpWDtsAG/iJOmNvoRSqfhXz17IJziozkd lDKopmebg8HDG6/QECU5vP0Bcqe90bvJhNCfbyjkA9coRyxB+CUWRT1k+IOuHrt/ 8D1LNof0gcXB3TPAyA0Id/cOwhmEu7Wqoo2taz6NITSObDCyswxDAC0TQBsBRCbZ P888cKOQIk7KMjr9nPd89k7ixF5yIvsZkUFS5JsWaQVMoQ/I4L9wV/U7F4cUW6aE obzSz353JkqJqnT9/xQDpzT1YvQCMyXpmOppWzOL3R5SRcpSfRa1MT0oyjXL1jZY jdv3LcewCIIz7g3QMfOASEQreqxqiLa1vFSXfnDMVxhoNLsO+acO2OuxGUVvTwum zsaisxXqZVBgvG5i21sviiqxepIG+qBB3yXKzVM3hFct/KjSMjw= =DqP4 -----END PGP SIGNATURE-----
--- End Message ---
