Bug#816456: openntpd: Please use systemd sandboxing

Sun, 08 May 2016 10:28:02 -0700 

PS: I didn't notice #791571.
    Here is a fixed patch (that assumes the current socket location)

On Sun, May 08, 2016 at 07:18:16PM +0200, Nicolas Braud-Santoni wrote:
> Control: tags -1 patch
> 
> Dear dererk,
> 
> Here is a patch that implements the suggested change.
> Note that ProtectSystem=full was replaced by more restrictive settings:
> 
> > # Makes the system read-only (in the daemon's namespace)
> > #  and prevent access to the logs
> > ReadOnlyDirectories=/
> > ReadWriteDirectories=/var/run
> > ReadWriteDirectories=/var/lib/openntpd
> > InaccessibleDirectories=/var/log
> 
> The configuration change suggested here was tested on stretch, like the 
> original one.
> For some reason that I haven't elucidated yet, it fails on jessie, but this is
>   likely not an issue (it wouldn't be sent to stable anyhow).
> 
> 
> Best,
> 
>   nicoo

> From 1ebb3d50a35d2163b22a6e514ccb8d4687cbfead Mon Sep 17 00:00:00 2001
> From: Nicolas Braud-Santoni <nico...@braud-santoni.eu>
> Date: Sun, 8 May 2016 19:13:45 +0200
> Subject: [PATCH] Use systemd sandboxing
> 
> ---
>  debian/changelog        |  6 ++++++
>  debian/openntpd.service | 26 ++++++++++++++++++++++++++
>  2 files changed, 32 insertions(+)
> 
> diff --git a/debian/changelog b/debian/changelog
> index 6bae66c..7b760c0 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,9 @@
> +openntpd (1:5.7p4-4) unstable; urgency=medium
> +
> +  * Use systemd's sandboxing (Closes: 816456)
> +
> + --
> +
>  openntpd (1:5.7p4-3) unstable; urgency=medium
>  
>    * Add support for GNU/kFreeBSD arc4random (Closes: 815302).
> diff --git a/debian/openntpd.service b/debian/openntpd.service
> index 311e0c6..9289fc0 100644
> --- a/debian/openntpd.service
> +++ b/debian/openntpd.service
> @@ -3,6 +3,7 @@ Description=OpenNTPd Network Time Protocol
>  Conflicts=systemd-timesyncd.service
>  After=network.target
>  
> +
>  [Service]
>  Type=forking
>  EnvironmentFile=-/etc/default/openntpd
> @@ -10,5 +11,30 @@ ExecStart=/usr/sbin/ntpd $DAEMON_OPTS
>  Restart=on-failure
>  RuntimeDirectory=openntpd
>  
> +## Sandboxing features.  See systemd.exec(5)
> +# The service gets its own instance of {/var,}/tmp
> +PrivateTmp=true
> +
> +# Only exposes API pseudo-devices (/dev/null, zero, random)
> +PrivateDevices=true
> +
> +# Makes the system read-only (in the daemon's namespace)
> +#  and prevent access to the logs
> +ReadOnlyDirectories=/
> +ReadWriteDirectories=/var/run
> +ReadWriteDirectories=/var/lib/openntpd
> +InaccessibleDirectories=/var/log
> +
> +# Prevents access to /home, /root and /run/user
> +ProtectHome=true
> +
> +# Bounds the daemon's privileges.
> +#  See capabilities(7) and
> +#  /usr/share/doc/linux-doc-*/Documentation/prctl/no_new_privs.txt.gz
> +CapabilityBoundingSet=CAP_SYS_TIME CAP_NET_BIND_SERVICE CAP_SYSLOG
> +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SYS_CHROOT
> +NoNewPrivileges=true
> +
> +
>  [Install]
>  WantedBy=multi-user.target
> -- 
> 2.8.1
> 




From 63d85b72808a0ebdd7a135a13c8ba8aa38b7f529 Mon Sep 17 00:00:00 2001
From: Nicolas Braud-Santoni <nico...@braud-santoni.eu>
Date: Sun, 8 May 2016 19:13:45 +0200
Subject: [PATCH] Use systemd sandboxing

---
 debian/changelog        |  6 ++++++
 debian/openntpd.service | 25 +++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 6bae66c..7b760c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+openntpd (1:5.7p4-4) unstable; urgency=medium
+
+  * Use systemd's sandboxing (Closes: 816456)
+
+ --
+
 openntpd (1:5.7p4-3) unstable; urgency=medium
 
   * Add support for GNU/kFreeBSD arc4random (Closes: 815302).
diff --git a/debian/openntpd.service b/debian/openntpd.service
index 311e0c6..d0680c7 100644
--- a/debian/openntpd.service
+++ b/debian/openntpd.service
@@ -3,6 +3,7 @@ Description=OpenNTPd Network Time Protocol
 Conflicts=systemd-timesyncd.service
 After=network.target
 
+
 [Service]
 Type=forking
 EnvironmentFile=-/etc/default/openntpd
@@ -10,5 +11,29 @@ ExecStart=/usr/sbin/ntpd $DAEMON_OPTS
 Restart=on-failure
 RuntimeDirectory=openntpd
 
+## Sandboxing features.  See systemd.exec(5)
+# The service gets its own instance of {/var,}/tmp
+PrivateTmp=true
+
+# Only exposes API pseudo-devices (/dev/null, zero, random)
+PrivateDevices=true
+
+# Makes the system read-only (in the daemon's namespace)
+#  and prevent access to the logs
+ReadOnlyDirectories=/
+ReadWriteDirectories=/var/lib/openntpd
+InaccessibleDirectories=/var/log
+
+# Prevents access to /home, /root and /run/user
+ProtectHome=true
+
+# Bounds the daemon's privileges.
+#  See capabilities(7) and
+#  /usr/share/doc/linux-doc-*/Documentation/prctl/no_new_privs.txt.gz
+CapabilityBoundingSet=CAP_SYS_TIME CAP_NET_BIND_SERVICE CAP_SYSLOG
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SYS_CHROOT
+NoNewPrivileges=true
+
+
 [Install]
 WantedBy=multi-user.target
-- 
2.8.1

Attachment: signature.asc
Description: PGP signature

Reply via email to