Source: znc Version: 1.8.2-3 Severity: important Hello,
I noticed that ZNC's service file comes with just a few settings that improve security: --8<---------------cut here---------------start------------->8--- ... PrivateTmp=true ProtectSystem=full ProtectHome=no PrivateDevices=true LimitNOFILE=1024 ... --8<---------------cut here---------------end--------------->8--- IMHO, these settings should be improved. Here's what I recommend: 1) "ProtectHome=yes", because ZNC's $HOME is not located inside /home, so it's OK to make /home, /root and /run/user inaccessible. 2) Add, at least, the following settings: --8<---------------cut here---------------start------------->8--- PrivateUsers=yes ProtectKernelModules=yes ProtectKernelLogs=yes ProtectKernelTunables=yes ProtectClock=yes ProtectControlGroups=yes MemoryDenyWriteExecute=yes ProtectProc=invisible --8<---------------cut here---------------end--------------->8--- I'm running the service with the extra settings mentioned above, and everything seems to be working correctly. Thanks, -- Sergio GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36 Please send encrypted e-mail if possible https://sergiodj.net/
signature.asc
Description: PGP signature
