PS: I didn't notice #791571.
Here is a fixed patch (that assumes the current socket location)On Sun, May 08, 2016 at 07:18:16PM +0200, Nicolas Braud-Santoni wrote: > Control: tags -1 patch > > Dear dererk, > > Here is a patch that implements the suggested change. > Note that ProtectSystem=full was replaced by more restrictive settings: > > > # Makes the system read-only (in the daemon's namespace) > > # and prevent access to the logs > > ReadOnlyDirectories=/ > > ReadWriteDirectories=/var/run > > ReadWriteDirectories=/var/lib/openntpd > > InaccessibleDirectories=/var/log > > The configuration change suggested here was tested on stretch, like the > original one. > For some reason that I haven't elucidated yet, it fails on jessie, but this is > likely not an issue (it wouldn't be sent to stable anyhow). > > > Best, > > nicoo > From 1ebb3d50a35d2163b22a6e514ccb8d4687cbfead Mon Sep 17 00:00:00 2001 > From: Nicolas Braud-Santoni <[email protected]> > Date: Sun, 8 May 2016 19:13:45 +0200 > Subject: [PATCH] Use systemd sandboxing > > --- > debian/changelog | 6 ++++++ > debian/openntpd.service | 26 ++++++++++++++++++++++++++ > 2 files changed, 32 insertions(+) > > diff --git a/debian/changelog b/debian/changelog > index 6bae66c..7b760c0 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,9 @@ > +openntpd (1:5.7p4-4) unstable; urgency=medium > + > + * Use systemd's sandboxing (Closes: 816456) > + > + -- > + > openntpd (1:5.7p4-3) unstable; urgency=medium > > * Add support for GNU/kFreeBSD arc4random (Closes: 815302). > diff --git a/debian/openntpd.service b/debian/openntpd.service > index 311e0c6..9289fc0 100644 > --- a/debian/openntpd.service > +++ b/debian/openntpd.service > @@ -3,6 +3,7 @@ Description=OpenNTPd Network Time Protocol > Conflicts=systemd-timesyncd.service > After=network.target > > + > [Service] > Type=forking > EnvironmentFile=-/etc/default/openntpd > @@ -10,5 +11,30 @@ ExecStart=/usr/sbin/ntpd $DAEMON_OPTS > Restart=on-failure > RuntimeDirectory=openntpd > > +## Sandboxing features. See systemd.exec(5) > +# The service gets its own instance of {/var,}/tmp > +PrivateTmp=true > + > +# Only exposes API pseudo-devices (/dev/null, zero, random) > +PrivateDevices=true > + > +# Makes the system read-only (in the daemon's namespace) > +# and prevent access to the logs > +ReadOnlyDirectories=/ > +ReadWriteDirectories=/var/run > +ReadWriteDirectories=/var/lib/openntpd > +InaccessibleDirectories=/var/log > + > +# Prevents access to /home, /root and /run/user > +ProtectHome=true > + > +# Bounds the daemon's privileges. > +# See capabilities(7) and > +# /usr/share/doc/linux-doc-*/Documentation/prctl/no_new_privs.txt.gz > +CapabilityBoundingSet=CAP_SYS_TIME CAP_NET_BIND_SERVICE CAP_SYSLOG > +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SYS_CHROOT > +NoNewPrivileges=true > + > + > [Install] > WantedBy=multi-user.target > -- > 2.8.1 >
From 63d85b72808a0ebdd7a135a13c8ba8aa38b7f529 Mon Sep 17 00:00:00 2001 From: Nicolas Braud-Santoni <[email protected]> Date: Sun, 8 May 2016 19:13:45 +0200 Subject: [PATCH] Use systemd sandboxing --- debian/changelog | 6 ++++++ debian/openntpd.service | 25 +++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/debian/changelog b/debian/changelog index 6bae66c..7b760c0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +openntpd (1:5.7p4-4) unstable; urgency=medium + + * Use systemd's sandboxing (Closes: 816456) + + -- + openntpd (1:5.7p4-3) unstable; urgency=medium * Add support for GNU/kFreeBSD arc4random (Closes: 815302). diff --git a/debian/openntpd.service b/debian/openntpd.service index 311e0c6..d0680c7 100644 --- a/debian/openntpd.service +++ b/debian/openntpd.service @@ -3,6 +3,7 @@ Description=OpenNTPd Network Time Protocol Conflicts=systemd-timesyncd.service After=network.target + [Service] Type=forking EnvironmentFile=-/etc/default/openntpd @@ -10,5 +11,29 @@ ExecStart=/usr/sbin/ntpd $DAEMON_OPTS Restart=on-failure RuntimeDirectory=openntpd +## Sandboxing features. See systemd.exec(5) +# The service gets its own instance of {/var,}/tmp +PrivateTmp=true + +# Only exposes API pseudo-devices (/dev/null, zero, random) +PrivateDevices=true + +# Makes the system read-only (in the daemon's namespace) +# and prevent access to the logs +ReadOnlyDirectories=/ +ReadWriteDirectories=/var/lib/openntpd +InaccessibleDirectories=/var/log + +# Prevents access to /home, /root and /run/user +ProtectHome=true + +# Bounds the daemon's privileges. +# See capabilities(7) and +# /usr/share/doc/linux-doc-*/Documentation/prctl/no_new_privs.txt.gz +CapabilityBoundingSet=CAP_SYS_TIME CAP_NET_BIND_SERVICE CAP_SYSLOG +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SYS_CHROOT +NoNewPrivileges=true + + [Install] WantedBy=multi-user.target -- 2.8.1
signature.asc
Description: PGP signature

