Source: memcached
Version: 1.5.0-1
Severity: wishlist
Tags: patch
Hi,
Please add some hardening features to the systemd .service file. :)
(Patch attached.)
Regards,
--
,''`.
: :' : Chris Lamb, Debian Project Leader
`. `'` la...@debian.org / chris-lamb.co.uk
`-
diff --git a/debian/memcached.service b/debian/memcached.service
index fae53a5..f816a93 100644
--- a/debian/memcached.service
+++ b/debian/memcached.service
@@ -6,5 +6,56 @@ Documentation=man:memcached(1)
[Service]
ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper
/etc/memcached.conf
+# Set up a new file system namespace and mounts private /tmp and /var/tmp
directories
+# so this service cannot access the global directories and other processes
cannot
+# access this service's directories.
+PrivateTmp=true
+
+# Mounts the /usr, /boot, and /etc directories read-only for processes invoked
by this unit.
+ProtectSystem=full
+
+# Ensures that the service process and all its children can never gain new
privileges
+NoNewPrivileges=true
+
+# Sets up a new /dev namespace for the executed processes and only adds API
pseudo devices
+# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY
subsystem) to it,
+# but no physical devices such as /dev/sda.
+PrivateDevices=true
+
+# Required for dropping privileges and running as a different user
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+
+# Attempts to create memory mappings that are writable and executable at the
same time,
+# or to change existing memory mappings to become executable are prohibited.
+MemoryDenyWriteExecute=true
+
+# Explicit module loading will be denied. This allows to turn off module load
and unload
+# operations on modular kernels. It is recommended to turn this on for most
services that
+# do not need special file systems or extra kernel modules to work.
+ProtectKernelModules=true
+
+# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
/proc/latency_stats,
+# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only
to all processes
+# of the unit. Usually, tunable kernel variables should only be written at
boot-time, with the
+# sysctl.d(5) mechanism. Almost no services need to write to these at runtime;
it is hence
+# recommended to turn this on for most services.
+ProtectKernelTunables=true
+
+# The Linux Control Groups (cgroups(7)) hierarchies accessible through
/sys/fs/cgroup will be
+# made read-only to all processes of the unit. Except for container managers
no services should
+# require write access to the control groups hierarchies; it is hence
recommended to turn this on
+# for most services
+ProtectControlGroups=true
+
+# Any attempts to enable realtime scheduling in a process of the unit are
refused.
+RestrictRealtime=true
+
+# Restricts the set of socket address families accessible to the processes of
this unit.
+# Protects against vulnerabilities such as CVE-2016-8655
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# Takes away the ability to create or manage any kind of namespace
+RestrictNamespaces=true
+
[Install]
WantedBy=multi-user.target
