Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 587540

Summary: mail-filter/amavisd-new - additional systemd hardening
Product: Gentoo Linux Reporter: Craig Andrews <candrews>
Component: Current packagesAssignee: Net-Mail Packages <net-mail+disabled>
Status: RESOLVED FIXED    
Severity: enhancement CC: antivirus, candrews, systemd
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Craig Andrews gentoo-dev 2016-06-29 20:57:41 UTC 
amavisd-new's systemd service, amavisd.service, should use systemd's hardening features:
* PrivateTmp=true
* CapabilityBoundingSet=
* ProtectSystem=full
* NoNewPrivileges=true
* PrivateDevices=true
* ProtectHome=true

User=amavis and Group=amavis should also be specified. This matches what the build does already, what the default configuration is, and prevents the service from needing the CAP_SETUID and CAP_SETGID capabilities which improves security.

I tested these settings and didn't experience any problems in my (admitted limited) setup. For the (very rare) impacted user, they can always override the systemd service - but a secure configuration should be the default.
Comment 1 Craig Andrews gentoo-dev 2016-06-29 20:58:30 UTC 
https://github.com/gentoo/gentoo/pull/1797