Source: nginx
Severity: wishlist
Dear Maintainer,
Nginx can be confined using features from systemd.exec(5).
This can be very helpful in mitigating a potential compromise of the service.
Please consider enabling those security features in future versions
of the package.
Here is a (commented) suggestion that has been tested on Jessie:
> [Service]
> # The service gets its own instance of {/var,}/tmp
> PrivateTmp=true
>
> # Only exposes API pseudo-devices (/dev/null, zero, random)
> PrivateDevices=true
>
> # Makes /usr, /boot and /etc read-only
> ProtectSystem=full
>
> # Prevents access to /home, /root and /run/user
> ProtectHome=true
>
>
> # CAP_KILL : Pour signaler les process enfants qui sont sous un user différent
> # CAP_SETUID CAP_SETGID : Il lance ses enfants avec moins de privileges
> # CAP_NET_BIND_SERVICE : Clairement, il écoute sur des ports < 1024
> # CAP_SYSLOG : C'est mieux pour pouvoir causer à syslog
> CapabilityBoundingSet=CAP_KILL CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
> CAP_SYSLOG
> NoNewPrivileges=true
When confined so, Nginx cannot even access files that are not world-readable
or owned by root; since this might be confusing for users unaware of
capabilities(7), I would consider adding CAP_DAC_OVERRIDE to
CapabilityBoundingSet.
Best regards,
nicoo
