Am 29.08.2016 um 04:52 schrieb Paul Kosinski:
"the "InaccessibleDirectories" stuff *is* DENY" Not quite. If you read the entire description of Allow/Deny/Order at https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html, you will see that Apache (httpd) provides a somewhat more powerful scheme of access control than systemd's three "xxxDirectories=" directives, in that the "Order" directive provides for prioritization of blocking vs admitting.
besides that you refer to a compat module *nobody* should use with httpd >= 2.4.0 and when you test the behavior in case of config merging
different config files define different permissions and how they are inherited - i been there years ago due the transition to apache 2.4 and careful testing showed that your config does oftern *not* what you think especially if mod_access_compat and the new directives are mixed because .htaccess, distro-snippets and admin config files - in other words: you may have no clue how your permissions are acting at all in real life
KERNEL NAMESPACSE are a completly different thing by nature
P.S. Linux kernel namespaces in general are quite good -- a worthy successor to the capability-based systems some of us worked on at NCR 1969-1970 (contemporaneous with Unix, but totally independent), and IBM Research 1970-1971 ("Future Systems", leading to System 38 and AS/400). On Sat, 27 Aug 2016 20:52:58 +0200 Reindl Harald <h.rei...@thelounge.net> wrote:Am 27.08.2016 um 20:45 schrieb Paul Kosinski:Does systemd have any ALLOW/DENY option (like Apache) for directories?the "InaccessibleDirectories" stuff *is* DENY google for "linux kernel namespaces"The "InaccessibleDirectories" option seems tedious and error prone, especially since *all* x.service files would have to be checked every time a new service, with perhaps new directories, is added.say who? you just need to understand where you service needs access and start with a complete read-only filesystem-namespace (ReadOnlyDirectories=/), open specific directories nad some where i *know for sure* the service has no business are completly closed nobody forces you to use all that security options - but saying "i don't use them at all because i may miss to forbid whatever new directory" is nonsense it's just a matter of how tight you want your security beyond SELinux and similar tech, how well you know the stuff you are running and how much time will you spend for that clamd in case of mailserver needs zero to no capabilities because it has to deal only with temp files and since by definition clamd deals with ratware i prefer to chain it as much as possibleOn Sat, 27 Aug 2016 18:59:07 +0200 Reindl Harald <h.rei...@thelounge.net> wrote:Am 27.08.2016 um 18:30 schrieb G.W. Haywood:Hi there, On Sat, 27 Aug 2016, Jeff Dyke wrote:... if i start clamd with sudo -u clamav /usr/sbin/clamd --config-file=/etc/clamav/clamd.conf it *will* bind to that address and port. ... When starting via /etc/init.d/clamav-daemon start or sudo service clamav-daemon start it does not bind to the port. ... No ... socket received from systemd. ...Are the other servers also Ubuntu 16.04? What are they all doing? Anything more from the clamd.conf debug options? I use ClamAV only on mail servers. I tend not to use distro packages for things mail, and anyway I have yet to use ClamAV on a systemd box (and with luck I never will) - but in your shoes I'd be inclined e.g. to chmod a-x the ClamAV scripts in /etc/init.d then put something to start clamd in /etc/rc.local to see if it works there after the network stack is all up and runningto start with a proper environment don't contain anything in /etc/init.d if we talk about systemd so what tells "systemctl list-units | grep clam" and what tells "systemctl status" for each listed uint - to get a minimum overview how the system is wired togehter (not that good when using compat startscripts) in the best case you disable/mask all that distro-crap and create your own clamd.service and adapt it to your needs (that one below only needs unix-sockets and hence can start with a restirced use - it could do the same in a high port in case of a tcp socket) [root@mail-gw:~]$ cat /etc/systemd/system/clamd.service [Unit] Description=ClamAV Scanner Daemon [Service] Type=forking Environment="TMPDIR=/tmp" Environment="LANG=en_GB.UTF-8" ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf ExecReload=/usr/bin/kill -SIGUSR2 $MAINPID Restart=always RestartSec=1 Nice=5 User=clamscan Group=clamilt PrivateTmp=yes PrivateDevices=yes PrivateNetwork=no NoNewPrivileges=yes CapabilityBoundingSet=CAP_KILL RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallArchitectures=x86-64 SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp kexec_load keyctl lookup_dcookie mbind migrate_pages mount move_pages open_by_handle_at perf_event_open pivot_root process_vm_readv process_vm_writev ptrace remap_file_pages request_key set_mempolicy swapoff swapon umount2 uselib vmsplice ReadOnlyDirectories=/ ReadWriteDirectories=/run/clamd.scan ReadWriteDirectories=/run/clamd ReadWriteDirectories=/var/log ReadWriteDirectories=/tmp InaccessibleDirectories=-/boot InaccessibleDirectories=-/etc/dbus-1 InaccessibleDirectories=-/etc/modprobe.d InaccessibleDirectories=-/etc/modules-load.d InaccessibleDirectories=-/etc/postfix InaccessibleDirectories=-/etc/ssh InaccessibleDirectories=-/etc/sysctl.d InaccessibleDirectories=-/home InaccessibleDirectories=-/media InaccessibleDirectories=-/root InaccessibleDirectories=-/run/blkid InaccessibleDirectories=-/run/console InaccessibleDirectories=-/run/dbus InaccessibleDirectories=-/run/lock InaccessibleDirectories=-/run/log InaccessibleDirectories=-/run/mount InaccessibleDirectories=-/run/screen InaccessibleDirectories=-/run/sepermit InaccessibleDirectories=-/run/setrans InaccessibleDirectories=-/run/spamassassin InaccessibleDirectories=-/run/spamassassin-submission InaccessibleDirectories=-/run/spamass-milter InaccessibleDirectories=-/run/spamd-debug InaccessibleDirectories=-/run/systemd/generator InaccessibleDirectories=-/run/systemd/system InaccessibleDirectories=-/run/systemd/users InaccessibleDirectories=-/run/udev InaccessibleDirectories=-/run/user InaccessibleDirectories=-/run/vnstat InaccessibleDirectories=-/usr/lib64/dbus-1 InaccessibleDirectories=-/usr/lib64/xtables InaccessibleDirectories=-/usr/lib/dracut InaccessibleDirectories=-/usr/libexec/iptables InaccessibleDirectories=-/usr/libexec/openssh InaccessibleDirectories=-/usr/libexec/postfix InaccessibleDirectories=-/usr/lib/grub InaccessibleDirectories=-/usr/lib/kernel InaccessibleDirectories=-/usr/lib/modprobe.d InaccessibleDirectories=-/usr/lib/modules InaccessibleDirectories=-/usr/lib/modules-load.d InaccessibleDirectories=-/usr/lib/rpm InaccessibleDirectories=-/usr/lib/sysctl.d InaccessibleDirectories=-/usr/lib/udev InaccessibleDirectories=-/usr/local InaccessibleDirectories=-/var/db InaccessibleDirectories=-/var/lib/alternatives InaccessibleDirectories=-/var/lib/bayes-persistent InaccessibleDirectories=-/var/lib/dbus InaccessibleDirectories=-/var/lib/dnf InaccessibleDirectories=-/var/lib/initramfs InaccessibleDirectories=-/var/lib/logrotate InaccessibleDirectories=-/var/lib/mailgraph InaccessibleDirectories=-/var/lib/misc InaccessibleDirectories=-/var/lib/mlocate InaccessibleDirectories=-/var/lib/ntp InaccessibleDirectories=-/var/lib/os-prober InaccessibleDirectories=-/var/lib/postfix InaccessibleDirectories=-/var/lib/rbldnsd InaccessibleDirectories=-/var/lib/rkhunter InaccessibleDirectories=-/var/lib/rpm InaccessibleDirectories=-/var/lib/rsyslog InaccessibleDirectories=-/var/lib/smokeping InaccessibleDirectories=-/var/lib/spamassassin InaccessibleDirectories=-/var/lib/spamass-milter InaccessibleDirectories=-/var/lib/spamfilter InaccessibleDirectories=-/var/lib/systemd InaccessibleDirectories=-/var/lib/unbound InaccessibleDirectories=-/var/lib/vnstat InaccessibleDirectories=-/var/lib/yum InaccessibleDirectories=-/var/log/rkhunter InaccessibleDirectories=-/var/spool [Install] WantedBy=multi-user.target
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
