No setuid programs are expected to be executed, so add SecureBits=no-setuid-fixup no-setuid-fixup-locked to unit files. --- units/systemd-hostnamed.service.in | 1 + units/systemd-importd.service.in | 1 + units/systemd-journal-gatewayd.service.in | 1 + units/systemd-journal-remote.service.in | 1 + units/systemd-journal-upload.service.in | 1 + units/systemd-journald.service.in | 1 + units/systemd-localed.service.in | 1 + units/systemd-logind.service.in | 1 + units/systemd-machined.service.in | 1 + units/systemd-networkd.service.in | 1 + units/systemd-resolved.service.in | 1 + units/systemd-timedated.service.in | 1 + units/systemd-timesyncd.service.in | 1 + 13 files changed, 13 insertions(+)
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index cc88ecd..ec13938 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -14,6 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/hostnamed ExecStart=@rootlibexecdir@/systemd-hostnamed BusName=org.freedesktop.hostname1 CapabilityBoundingSet=CAP_SYS_ADMIN +SecureBits=no-setuid-fixup no-setuid-fixup-locked WatchdogSec=1min PrivateTmp=yes PrivateDevices=yes diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in index 26759ea..bb3fbea 100644 --- a/units/systemd-importd.service.in +++ b/units/systemd-importd.service.in @@ -14,6 +14,7 @@ ExecStart=@rootlibexecdir@/systemd-importd BusName=org.freedesktop.import1 CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP NoNewPrivileges=yes +SecureBits=no-setuid-fixup no-setuid-fixup-locked WatchdogSec=1min PrivateTmp=yes ProtectSystem=full diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index 987220e..bfdb561 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -11,6 +11,7 @@ Requires=systemd-journal-gatewayd.socket [Service] ExecStart=@rootlibexecdir@/systemd-journal-gatewayd +SecureBits=no-setuid-fixup no-setuid-fixup-locked User=systemd-journal-gateway Group=systemd-journal-gateway SupplementaryGroups=systemd-journal diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index 4a898d6..4f25518 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -13,6 +13,7 @@ Requires=systemd-journal-remote.socket ExecStart=@rootlibexecdir@/systemd-journal-remote \ --listen-https=-3 \ --output=/var/log/journal/remote/ +SecureBits=no-setuid-fixup no-setuid-fixup-locked User=systemd-journal-remote Group=systemd-journal-remote PrivateTmp=yes diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index b2e3c76..ac776ac 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -12,6 +12,7 @@ After=network.target [Service] ExecStart=@rootlibexecdir@/systemd-journal-upload \ --save-state +SecureBits=no-setuid-fixup no-setuid-fixup-locked User=systemd-journal-upload PrivateTmp=yes PrivateDevices=yes diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index a3540c6..01bf2a7 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -22,6 +22,7 @@ RestartSec=0 NotifyAccess=all StandardOutput=null CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE +SecureBits=no-setuid-fixup no-setuid-fixup-locked WatchdogSec=1min FileDescriptorStoreMax=1024 diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index bfa0978..f0c06aa 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -14,6 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/localed ExecStart=@rootlibexecdir@/systemd-localed BusName=org.freedesktop.locale1 CapabilityBoundingSet= +SecureBits=no-setuid-fixup no-setuid-fixup-locked WatchdogSec=1min PrivateTmp=yes PrivateDevices=yes diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index f087e99..f6760c6 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -24,6 +24,7 @@ Restart=always RestartSec=0 BusName=org.freedesktop.login1 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG +SecureBits=no-setuid-fixup no-setuid-fixup-locked WatchdogSec=1min # Increase the default a bit in order to allow many simultaneous diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index 15f34d9..8ee3d81 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -16,6 +16,7 @@ After=machine.slice ExecStart=@rootlibexecdir@/systemd-machined BusName=org.freedesktop.machine1 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH +SecureBits=no-setuid-fixup no-setuid-fixup-locked WatchdogSec=1min PrivateTmp=yes PrivateDevices=yes diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 5a91b8e..4767e2e 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -23,6 +23,7 @@ Restart=on-failure RestartSec=0 ExecStart=@rootlibexecdir@/systemd-networkd CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER +SecureBits=no-setuid-fixup no-setuid-fixup-locked ProtectSystem=full ProtectHome=yes WatchdogSec=1min diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index b643da9..aef562a 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -21,6 +21,7 @@ Restart=always RestartSec=0 ExecStart=@rootlibexecdir@/systemd-resolved CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER +SecureBits=no-setuid-fixup no-setuid-fixup-locked ProtectSystem=full ProtectHome=yes WatchdogSec=1min diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index fe5ccb4..28e7772 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -14,6 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/timedated ExecStart=@rootlibexecdir@/systemd-timedated BusName=org.freedesktop.timedate1 CapabilityBoundingSet=CAP_SYS_TIME +SecureBits=no-setuid-fixup no-setuid-fixup-locked WatchdogSec=1min PrivateTmp=yes ProtectSystem=yes diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 39edafc..ed8fb80 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -23,6 +23,7 @@ Restart=always RestartSec=0 ExecStart=@rootlibexecdir@/systemd-timesyncd CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER +SecureBits=no-setuid-fixup no-setuid-fixup-locked PrivateTmp=yes PrivateDevices=yes ProtectSystem=full -- 2.1.4 _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
