Bug#863841: Enable systemd hardening options for named

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#863841: Enable systemd hardening options for named

Russ Allbery-2
Package: bind9
Version: 1:9.10.3.dfsg.P4-12.3
Severity: wishlist

BIND named is a great candidate for enabling systemd hardening features,
since it has very limited required access to the local file system and
a long history of security issues due to its complexity.

I'm currently using the following settings on jessie without any impact,
although I'm not using dynamic DNS or a few other things that may make
a difference.  jessie had much more limited options; there are other
options now available in newer systemd, and I didn't start looking at
system call filtering.

CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=full

CAP_DAC_OVERRIDE is required for rndc to read /etc/bind/rndc.key; a
possible alternative would be to find a way to run it as the bind user
instead.  It's possible that you could drop CAP_SETGID and CAP_SETUID
and instead let systemd switch to the bind user, and put
CAP_NET_BIND_SERVICE into the ambient capability set instead so that it
can still bind to a low-numbered port.

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bind9 depends on:
ii  adduser                3.115
ii  bind9utils             1:9.10.3.dfsg.P4-12.3
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  libbind9-140           1:9.10.3.dfsg.P4-12.3
ii  libc6                  2.24-11
ii  libcap2                1:2.25-1
ii  libcomerr2             1.43.4-2
ii  libdns162              1:9.10.3.dfsg.P4-12.3
ii  libgeoip1              1.6.9-4
ii  libgssapi-krb5-2       1.15-1
ii  libirs141              1:9.10.3.dfsg.P4-12.3
ii  libisc160              1:9.10.3.dfsg.P4-12.3
ii  libisccc140            1:9.10.3.dfsg.P4-12.3
ii  libisccfg140           1:9.10.3.dfsg.P4-12.3
ii  libk5crypto3           1.15-1
ii  libkrb5-3              1.15-1
ii  liblwres141            1:9.10.3.dfsg.P4-12.3
ii  libssl1.0.2            1.0.2l-1
ii  libxml2                2.9.4+dfsg1-2.2
ii  lsb-base               9.20161125
ii  net-tools              1.60+git20161116.90da8a0-1
ii  netbase                5.4

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind9-doc   <none>
ii  dnsutils    1:9.10.3.dfsg.P4-12.3
pn  resolvconf  <none>
pn  ufw         <none>

-- debconf information:
  bind9/start-as-user: bind
  bind9/different-configuration-file:
  bind9/run-resolvconf: false

Reply | Threaded
Open this post in threaded view
|

Bug#863841: Enable systemd hardening options for named

Bernhard Schmidt
FTR, these are the "others" using (just as a reference, I think we can
easily add more):

Fedora/RHEL:
https://src.fedoraproject.org/rpms/bind/blob/master/f/named.service
PrivateTmp=true

SLES:
Unknown, but https://build.opensuse.org/package/revisions/network/bind
sports a nice "Add back init scripts, systemd units aren't ready yet"

Gentoo:
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-dns/bind/files/named.service-r1
nothing

Arch:
https://git.archlinux.org/svntogit/packages.git/tree/trunk/named.service?h=packages/bind
nothing

The only thing I can think of that might interfere with this is
chrooting the named daemon, which is possible with the "-t" command line
option. We do this to run multiple instances without the need to specify
the full path to the configuration file. I will test this in the
upcoming days.

Bernhard

Reply | Threaded
Open this post in threaded view
|

Bug#863841: Enable systemd hardening options for named

Simon Deziel-2
In reply to this post by Russ Allbery-2
Hi,

It would be really nice to have those hardening options used. I use them
locally on Ubuntu. Please note that the Private*/Protect* options (using
the mount namespace) require this change to the Apparmor profile:

-/usr/sbin/named {
+/usr/sbin/named flags=(attach_disconnected) {

Thanks,
Simon


signature.asc (817 bytes) Download Attachment