Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 587588

Summary: net-misc/radvd: improve systemd unit (including security hardening)
Product: Gentoo Linux Reporter: Craig Andrews <candrews>
Component: Current packagesAssignee: Michael Weber (RETIRED) <xmw>
Status: RESOLVED FIXED    
Severity: major CC: candrews, prometheanfire
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=587586
Whiteboard:
Package list:
Runtime testing required: ---

Description Craig Andrews gentoo-dev 2016-06-30 14:21:35 UTC
The radvd.service systemd unit can be improved by having radvd never run as root, restricting capabilities as much as possible, and limiting file system access.

This has been discussed on the forums at https://forums.gentoo.org/viewtopic-p-7907924.html?sid=03b7d4158d14b19351a6c772b87a2fbd
Comment 1 Craig Andrews gentoo-dev 2016-06-30 14:27:26 UTC
https://github.com/gentoo/gentoo/pull/1799
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-06-30 22:42:20 UTC
fixed
Comment 3 Matthias Maier gentoo-dev 2016-08-08 20:21:48 UTC
With this patch applied radvd now fails to start:

  Aug 08 15:12:47 jackdaw systemd[1]: [/usr/lib64/systemd/system/radvd.service:17] Unknown lvalue 'AmbientCapabilities' in section 'Service'
  Aug 08 15:12:54 jackdaw systemd[1]: Starting Router advertisement daemon for IPv6...
  Aug 08 15:12:54 jackdaw radvd[9581]: [Aug 08 15:12:54] radvd (9581): version 2.13 started
  Aug 08 15:12:54 jackdaw systemd[1]: radvd.service: Control process exited, code=exited status=1
  Aug 08 15:12:54 jackdaw systemd[1]: Failed to start Router advertisement daemon for IPv6.


There is absolutely no reason to start radvd with different UID/GID settings. The daemons acquires a privileged port and privileged capabilities and suids and drops privileges afterwards just fine.
Comment 4 Craig Andrews gentoo-dev 2016-08-08 20:24:19 UTC
(In reply to Matthias Maier from comment #3)

What exact versions of systemd and radvd are you using?
Comment 5 Matthias Maier gentoo-dev 2016-08-08 20:26:24 UTC
Further, just a remark to the forum post this originated from:

 - radvd doesn't run as root. It starts up as root, acquires a privileged port and capabilities and suids afterwards.

 - Granting capabilities to the radvd executable is *worse* than above solution. Because it would enable *everyone* to start radvd with increased privileges. Definitely not something anyone would want.


Apparently, above service file is for a radvd executable with said capabilities set. Please, let's not do that.
Comment 6 Matthias Maier gentoo-dev 2016-08-08 20:30:26 UTC
(In reply to candrews from comment #4)
> (In reply to Matthias Maier from comment #3)
> 
> What exact versions of systemd and radvd are you using?

Every version in the tree fails with this service file because no ebuild grants any capabilities to the executable (which is the correct thing to do).

I will post a modified service file that works and applies some system hardening.
Comment 7 Matthias Maier gentoo-dev 2016-08-08 20:36:35 UTC
Ah. Only very recent versions of systemd have the AmbientCapabilites= configuration value.
Comment 8 Matthias Maier gentoo-dev 2016-08-08 20:49:09 UTC
I propose that the unit file is changed to the following. This will work with every systemd version in the tree and has the advantage that the daemon (because it is started as root) has a change to drop privileges again. Otherwise, it is the full system hardening as proposed.


[Unit]
Description=Router advertisement daemon for IPv6
Documentation=man:radvd(8)
After=network.target

[Service]
Type=forking
ExecStartPre=/usr/sbin/radvd --configtest
ExecStart=/usr/sbin/radvd --username radvd --logmethod stderr --debug 0
ExecReload=/usr/sbin/radvd --configtest ; \
           /bin/kill -HUP $MAINPID
CPUSchedulingPolicy=idle
PIDFile=/run/radvd/radvd.pid
RuntimeDirectory=radvd
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE  CAP_NET_RAW
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes

[Install]
WantedBy=multi-user.target
Comment 9 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-08-08 20:57:05 UTC
fixed in place