www-servers/apache2's systemd service, apache2.service, should use systemd's hardening features: * PrivateTmp=true should be used. This would align Gentoo with the Red Hat / Fedora /CentOS family, which made this change in 2012: http://danwalsh.livejournal.com/51459.html * CapabilityBoundingSet= should be set * ProtectSystem=full (or at least true) * NoNewPrivileges=true * PrivateDevices=true I tested these settings and didn't experience any problems in my (admitted limited) setup. I think they should be fine for anyone except for exceptional and odd situations (ex, apache is setup to read files from /tmp that another services writes to /tmp). For the (very rare) impacted user, they can always override the systemd service - but a secure configuration should be the default.
https://github.com/gentoo/gentoo/pull/1739
BTW, on another note, I feel like upstream should be distributing the systemd service (with distributions free to customize it, of course!) so I've reported a bug in httpd requesting them to do so: https://bz.apache.org/bugzilla/show_bug.cgi?id=59760
Since I do not use systemd anywhere nor do I have the tiniest interest in learning any systemd internals, I have CCed our systemd team so they can do whatever is necessary here.
Sure, I'll test, and assuming there are no objections commit the change.
(In reply to Richard Freeman from comment #4) > Sure, I'll test, and assuming there are no objections commit the change. No objections from my side.
Ok, I've been testing this for a week on the stable version with no issues. I can't vouch for ~arch, though I see no reason it wouldn't work there. Do you want me to go ahead and revbump both for this?
(In reply to Richard Freeman from comment #6) > Ok, I've been testing this for a week on the stable version with no issues. > I can't vouch for ~arch, though I see no reason it wouldn't work there. Do > you want me to go ahead and revbump both for this? I already gave you my okay and didn't change my mind since ;)
(In reply to Lars Wendler (Polynomial-C) from comment #7) > (In reply to Richard Freeman from comment #6) > > Ok, I've been testing this for a week on the stable version with no issues. > > I can't vouch for ~arch, though I see no reason it wouldn't work there. Do > > you want me to go ahead and revbump both for this? > > I already gave you my okay and didn't change my mind since ;) Yup, my question was more about being OK with going straight to stable and bumping ~arch without specifically testing it. I'll do so shortly.
Any updates? I just rebased the PR and believe it's all set to merge: https://github.com/gentoo/gentoo/pull/1739
Ok, committed to gentoo...
Problem with suexec caused by this change reported in: https://bugs.gentoo.org/show_bug.cgi?id=600292