The radvd.service systemd unit can be improved by having radvd never run as root, restricting capabilities as much as possible, and limiting file system access.
This has been discussed on the forums at https://forums.gentoo.org/viewtopic-p-7907924.html?sid=03b7d4158d14b19351a6c772b87a2fbd
With this patch applied radvd now fails to start:
Aug 08 15:12:47 jackdaw systemd: [/usr/lib64/systemd/system/radvd.service:17] Unknown lvalue 'AmbientCapabilities' in section 'Service'
Aug 08 15:12:54 jackdaw systemd: Starting Router advertisement daemon for IPv6...
Aug 08 15:12:54 jackdaw radvd: [Aug 08 15:12:54] radvd (9581): version 2.13 started
Aug 08 15:12:54 jackdaw systemd: radvd.service: Control process exited, code=exited status=1
Aug 08 15:12:54 jackdaw systemd: Failed to start Router advertisement daemon for IPv6.
There is absolutely no reason to start radvd with different UID/GID settings. The daemons acquires a privileged port and privileged capabilities and suids and drops privileges afterwards just fine.
(In reply to Matthias Maier from comment #3)
What exact versions of systemd and radvd are you using?
Further, just a remark to the forum post this originated from:
- radvd doesn't run as root. It starts up as root, acquires a privileged port and capabilities and suids afterwards.
- Granting capabilities to the radvd executable is *worse* than above solution. Because it would enable *everyone* to start radvd with increased privileges. Definitely not something anyone would want.
Apparently, above service file is for a radvd executable with said capabilities set. Please, let's not do that.
(In reply to candrews from comment #4)
> (In reply to Matthias Maier from comment #3)
> What exact versions of systemd and radvd are you using?
Every version in the tree fails with this service file because no ebuild grants any capabilities to the executable (which is the correct thing to do).
I will post a modified service file that works and applies some system hardening.
Ah. Only very recent versions of systemd have the AmbientCapabilites= configuration value.
I propose that the unit file is changed to the following. This will work with every systemd version in the tree and has the advantage that the daemon (because it is started as root) has a change to drop privileges again. Otherwise, it is the full system hardening as proposed.
Description=Router advertisement daemon for IPv6
ExecStart=/usr/sbin/radvd --username radvd --logmethod stderr --debug 0
ExecReload=/usr/sbin/radvd --configtest ; \
/bin/kill -HUP $MAINPID
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_NET_RAW
fixed in place