"the "InaccessibleDirectories" stuff *is* DENY"
Not quite. If you read the entire description of Allow/Deny/Order at
https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html, you will
see that Apache (httpd) provides a somewhat more powerful scheme of
access control than systemd's three "xxxDirectories=" directives, in
that the "Order" directive provides for prioritization of blocking vs
admitting.
P.S. Linux kernel namespaces in general are quite good -- a worthy
successor to the capability-based systems some of us worked on at NCR
1969-1970 (contemporaneous with Unix, but totally independent), and IBM
Research 1970-1971 ("Future Systems", leading to System 38 and AS/400).
On Sat, 27 Aug 2016 20:52:58 +0200
Reindl Harald <h.rei...@thelounge.net> wrote:
>
>
> Am 27.08.2016 um 20:45 schrieb Paul Kosinski:
> > Does systemd have any ALLOW/DENY option (like Apache) for
> > directories?
>
> the "InaccessibleDirectories" stuff *is* DENY
> google for "linux kernel namespaces"
>
> > The "InaccessibleDirectories" option seems tedious and error prone,
> > especially since *all* x.service files would have to be checked
> > every time a new service, with perhaps new directories, is added.
>
> say who?
>
> you just need to understand where you service needs access and start
> with a complete read-only filesystem-namespace
> (ReadOnlyDirectories=/), open specific directories nad some where i
> *know for sure* the service has no business are completly closed
>
> nobody forces you to use all that security options - but saying "i
> don't use them at all because i may miss to forbid whatever new
> directory" is nonsense
>
> it's just a matter of how tight you want your security beyond SELinux
> and similar tech, how well you know the stuff you are running and how
> much time will you spend for that
>
> clamd in case of mailserver needs zero to no capabilities because it
> has to deal only with temp files and since by definition clamd deals
> with ratware i prefer to chain it as much as possible
>
> > On Sat, 27 Aug 2016 18:59:07 +0200
> > Reindl Harald <h.rei...@thelounge.net> wrote:
> >>
> >>
> >> Am 27.08.2016 um 18:30 schrieb G.W. Haywood:
> >>> Hi there,
> >>>
> >>> On Sat, 27 Aug 2016, Jeff Dyke wrote:
> >>>
> >>>> ... if i start clamd with
> >>>> sudo -u clamav /usr/sbin/clamd
> >>>> --config-file=/etc/clamav/clamd.conf it *will* bind to that
> >>>> address and port. ...
> >>>> When starting via /etc/init.d/clamav-daemon start or sudo service
> >>>> clamav-daemon start it does not bind to the port.
> >>>>
> >>>> ... No ... socket received from systemd.
> >>>> ...
> >>>
> >>> Are the other servers also Ubuntu 16.04?
> >>>
> >>> What are they all doing?
> >>>
> >>> Anything more from the clamd.conf debug options?
> >>>
> >>> I use ClamAV only on mail servers. I tend not to use distro
> >>> packages for things mail, and anyway I have yet to use ClamAV on a
> >>> systemd box (and with luck I never will) - but in your shoes I'd
> >>> be inclined e.g. to chmod a-x the ClamAV scripts in /etc/init.d
> >>> then put something to start clamd in /etc/rc.local to see if it
> >>> works there after the network stack is all up and running
> >>
> >> to start with a proper environment don't contain anything
> >> in /etc/init.d if we talk about systemd
> >>
> >> so what tells "systemctl list-units | grep clam" and what tells
> >> "systemctl status" for each listed uint - to get a minimum overview
> >> how the system is wired togehter (not that good when using compat
> >> startscripts)
> >>
> >> in the best case you disable/mask all that distro-crap and create
> >> your own clamd.service and adapt it to your needs (that one below
> >> only needs unix-sockets and hence can start with a restirced use -
> >> it could do the same in a high port in case of a tcp socket)
> >>
> >> [root@mail-gw:~]$ cat /etc/systemd/system/clamd.service
> >> [Unit]
> >> Description=ClamAV Scanner Daemon
> >>
> >> [Service]
> >> Type=forking
> >> Environment="TMPDIR=/tmp"
> >> Environment="LANG=en_GB.UTF-8"
> >> ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf
> >> ExecReload=/usr/bin/kill -SIGUSR2 $MAINPID
> >> Restart=always
> >> RestartSec=1
> >> Nice=5
> >>
> >> User=clamscan
> >> Group=clamilt
> >>
> >> PrivateTmp=yes
> >> PrivateDevices=yes
> >> PrivateNetwork=no
> >> NoNewPrivileges=yes
> >> CapabilityBoundingSet=CAP_KILL
> >> RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
> >> SystemCallArchitectures=x86-64
> >> SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime
> >> delete_module fanotify_init finit_module get_mempolicy init_module
> >> io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel
> >> kcmp kexec_load keyctl lookup_dcookie mbind migrate_pages mount
> >> move_pages open_by_handle_at perf_event_open pivot_root
> >> process_vm_readv process_vm_writev ptrace remap_file_pages
> >> request_key set_mempolicy swapoff swapon umount2 uselib vmsplice
> >>
> >> ReadOnlyDirectories=/
> >> ReadWriteDirectories=/run/clamd.scan
> >> ReadWriteDirectories=/run/clamd
> >> ReadWriteDirectories=/var/log
> >> ReadWriteDirectories=/tmp
> >>
> >> InaccessibleDirectories=-/boot
> >> InaccessibleDirectories=-/etc/dbus-1
> >> InaccessibleDirectories=-/etc/modprobe.d
> >> InaccessibleDirectories=-/etc/modules-load.d
> >> InaccessibleDirectories=-/etc/postfix
> >> InaccessibleDirectories=-/etc/ssh
> >> InaccessibleDirectories=-/etc/sysctl.d
> >> InaccessibleDirectories=-/home
> >> InaccessibleDirectories=-/media
> >> InaccessibleDirectories=-/root
> >> InaccessibleDirectories=-/run/blkid
> >> InaccessibleDirectories=-/run/console
> >> InaccessibleDirectories=-/run/dbus
> >> InaccessibleDirectories=-/run/lock
> >> InaccessibleDirectories=-/run/log
> >> InaccessibleDirectories=-/run/mount
> >> InaccessibleDirectories=-/run/screen
> >> InaccessibleDirectories=-/run/sepermit
> >> InaccessibleDirectories=-/run/setrans
> >> InaccessibleDirectories=-/run/spamassassin
> >> InaccessibleDirectories=-/run/spamassassin-submission
> >> InaccessibleDirectories=-/run/spamass-milter
> >> InaccessibleDirectories=-/run/spamd-debug
> >> InaccessibleDirectories=-/run/systemd/generator
> >> InaccessibleDirectories=-/run/systemd/system
> >> InaccessibleDirectories=-/run/systemd/users
> >> InaccessibleDirectories=-/run/udev
> >> InaccessibleDirectories=-/run/user
> >> InaccessibleDirectories=-/run/vnstat
> >> InaccessibleDirectories=-/usr/lib64/dbus-1
> >> InaccessibleDirectories=-/usr/lib64/xtables
> >> InaccessibleDirectories=-/usr/lib/dracut
> >> InaccessibleDirectories=-/usr/libexec/iptables
> >> InaccessibleDirectories=-/usr/libexec/openssh
> >> InaccessibleDirectories=-/usr/libexec/postfix
> >> InaccessibleDirectories=-/usr/lib/grub
> >> InaccessibleDirectories=-/usr/lib/kernel
> >> InaccessibleDirectories=-/usr/lib/modprobe.d
> >> InaccessibleDirectories=-/usr/lib/modules
> >> InaccessibleDirectories=-/usr/lib/modules-load.d
> >> InaccessibleDirectories=-/usr/lib/rpm
> >> InaccessibleDirectories=-/usr/lib/sysctl.d
> >> InaccessibleDirectories=-/usr/lib/udev
> >> InaccessibleDirectories=-/usr/local
> >> InaccessibleDirectories=-/var/db
> >> InaccessibleDirectories=-/var/lib/alternatives
> >> InaccessibleDirectories=-/var/lib/bayes-persistent
> >> InaccessibleDirectories=-/var/lib/dbus
> >> InaccessibleDirectories=-/var/lib/dnf
> >> InaccessibleDirectories=-/var/lib/initramfs
> >> InaccessibleDirectories=-/var/lib/logrotate
> >> InaccessibleDirectories=-/var/lib/mailgraph
> >> InaccessibleDirectories=-/var/lib/misc
> >> InaccessibleDirectories=-/var/lib/mlocate
> >> InaccessibleDirectories=-/var/lib/ntp
> >> InaccessibleDirectories=-/var/lib/os-prober
> >> InaccessibleDirectories=-/var/lib/postfix
> >> InaccessibleDirectories=-/var/lib/rbldnsd
> >> InaccessibleDirectories=-/var/lib/rkhunter
> >> InaccessibleDirectories=-/var/lib/rpm
> >> InaccessibleDirectories=-/var/lib/rsyslog
> >> InaccessibleDirectories=-/var/lib/smokeping
> >> InaccessibleDirectories=-/var/lib/spamassassin
> >> InaccessibleDirectories=-/var/lib/spamass-milter
> >> InaccessibleDirectories=-/var/lib/spamfilter
> >> InaccessibleDirectories=-/var/lib/systemd
> >> InaccessibleDirectories=-/var/lib/unbound
> >> InaccessibleDirectories=-/var/lib/vnstat
> >> InaccessibleDirectories=-/var/lib/yum
> >> InaccessibleDirectories=-/var/log/rkhunter
> >> InaccessibleDirectories=-/var/spool
> >>
> >> [Install]
> >> WantedBy=multi-user.target
>
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
