Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 587596 - mail-filter/sqlgrey - systemd service improvements and hardening
Summary: mail-filter/sqlgrey - systemd service improvements and hardening
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2016-06-30 15:54 UTC by Craig Andrews
Modified: 2019-10-21 22:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Craig Andrews gentoo-dev 2016-06-30 15:54:36 UTC 
The sqlgrey systemd service can be improved and hardened.

I suggest that User=sqlgrey and Group=sqlgrey be added to match what the build sets up already (eliminating sqlgrey ever running as root). PIDFile=/run/sqlgrey.pid should also be specified. These hardening options should be added:
CapabilityBoundingSet=
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes
Comment 1 Craig Andrews gentoo-dev 2016-06-30 15:55:21 UTC 
https://github.com/gentoo/gentoo/pull/1800
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-07-01 12:22:27 UTC 
Doesn't sqlgrey drop privileges itself?
Comment 3 Craig Andrews gentoo-dev 2016-07-01 13:45:46 UTC 
(In reply to Michał Górny from comment #2)
> Doesn't sqlgrey drop privileges itself?

It does. But why trust if we don't have to? IMHO it's better to never have privileges rather than have them only to drop them. With the "never have privileges" approach, no one has to trust that the dropping is done correctly, that there isn't a vulnerability before dropping, that there isn't a way to get back root after dropping, or any number of other problems.
Comment 4 Philippe Chaintreuil 2019-10-21 21:28:22 UTC 
It looks to me that this was fixed years ago by @mgorny via https://github.com/gentoo/gentoo/commit/1a34370c22e9d57dbf10f3830528b19c17704d5d and thus can be closed as fixed.
Comment 5 Pacho Ramos gentoo-dev 2019-10-21 22:13:20 UTC 
thanks