Hey twb! I saw you pop into #ntpsec a couple of times, but you were always gone by the time I was back at my computer.
I haven't had a chance to actually test this, outside of running systemd-analyze on the modified unit. Some comments: 1) In general, this is great! By all means, let's lock down the services to minimum privileges. This systemd-analyze tool is new and I was not previously aware of it. Thanks! As a side note that has nothing to do with you, it's too bad that systemd-analyze security does not work on a unit _file_, but only installed units. Otherwise, this would be a great thing for someone to hook into Lintian. 2) I agree that it would be nice to hit all the ntpsec services. 3) Why do we want /var/log/ntpsec/temps.YYYY-MM-DD.gz to be world-readable? Is it just that, or everything that needs to be world-readable? Would this get better if the ntpviz services ran as the user ntpsec (i.e. could we then avoid them being world-readable)? 4) I re-ran systemd-analyze after adding these options. Do we really need local sockets? I see that systemd.exec's documentation suggests keeping it, e.g. for syslog, but is it actually used here? 5) Unless the order is critical (for humans; I realize it does not matter to systemd in most cases), I'd prefer to sort these. 6) I will have to wait until after the Buster release to accept and merge this, because of the code freeze. So with them sorted, and making UMask explicit, here's what I have: [Unit] Description=Rotate ntpd stats Requisite=ntpsec.service [Service] Type=simple ExecStart=/usr/lib/ntp/rotate-stats # These lock down this service to minimal privileges. CapabilityBoundingSet= IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateNetwork=yes PrivateTmp=yes PrivateUsers=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict ReadWritePaths=-/var/log/ntpsec/ RemoveIPC=yes RestrictAddressFamilies=AF_UNIX RestrictNamespaces=yes RestrictRealtime=yes SystemCallArchitectures=native # Order is important here: SystemCallFilter=@system-service SystemCallFilter=~@privileged @resources # We want /var/log/ntpsec/temps.YYYY-MM-DD.gz to be world-readable. Umask=022 User=ntpsec WorkingDirectory=/var/log/ntpsec -- Richard
