Package: apt-cacher-ng
Version: 3.6.3-1
Severity: wishlist
The attached /etc/systemd/service/apt-cacher-ng.service.d/override.conf
makes "systemd-analyze security" change from a frowny face to a smiley face.
(I think it's also supposed to improve security hardening, but I can only vouch
for the smiley face.)
I took my usual strategy of "block everything, then unblock things until stuff
works again".
My "is it working" tests were:
* systemctl start apt-cacher-ng
* apt update (using acng as proxy)
* mmdebstrap (using acng as proxy)
* browse to http://localhost:3142/acng-report.html?doCount=Count+Data#stats
* all the above with an empty /var/cache/apt-cacher-ng
I ran a similar override on buster for 12 months with no OBVIOUS issues, but
it probably needs more testing before pushing it out to everybody.
(i.e. before copy-pasting override.conf into systemd/apt-cacher-ng.service.in)
As a specific example of "more real-world testing needed",
I found with other daemons it's a real pain to call sendmail(8) or mail(1).
Here are some workarounds I came up with on buster for specific MTAs:
https://github.com/cyberitsolutions/prisonpc-systemd-lockdown/blob/main/systemd/system/0-EXAMPLES/30-allow-mail-msmtp.conf
https://github.com/cyberitsolutions/prisonpc-systemd-lockdown/blob/main/systemd/system/0-EXAMPLES/30-allow-mail-postfix-non-root-addgroup.conf
https://github.com/cyberitsolutions/prisonpc-systemd-lockdown/blob/main/systemd/system/0-EXAMPLES/30-allow-mail-postfix-non-root-dac-override.conf
https://github.com/cyberitsolutions/prisonpc-systemd-lockdown/blob/main/systemd/system/0-EXAMPLES/30-allow-mail-postfix-non-root-setgid.conf
https://github.com/cyberitsolutions/prisonpc-systemd-lockdown/blob/main/systemd/system/0-EXAMPLES/30-allow-mail-postfix-root-dac-override.conf
https://github.com/cyberitsolutions/prisonpc-systemd-lockdown/blob/main/systemd/system/0-EXAMPLES/30-allow-mail-postfix-root-sys-admin.conf
https://github.com/cyberitsolutions/prisonpc-systemd-lockdown/blob/main/systemd/system/0-EXAMPLES/30-allow-mail-postfix-via-msmtp.conf
I *think* acng only sends mail in troublefaq.html, so
it might be sufficient for troublefaq.html to say
"you might need to comment out systemd security options while debugging".
PS: for comparison, a daemon that is sucessfully using this stuff is mariadb,
as an alternative to the mysqld_safe wrapper.
https://mariadb.com/kb/en/systemd/
UNIT EXPOSURE PREDICATE HAPPY
mariadb.service 5.6 MEDIUM 😐
apt-cacher-ng.service 9.2 UNSAFE 😨 (current state)
apt-cacher-ng.service 1.1 OK 🙂 (with my
probably-too-strict override.conf)
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'testing-security'), (500, 'unstable'),
(1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-3-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
# Appease "systemd-analyze security" as at v247
[Service]
CapabilityBoundingSet=
RestrictNamespaces=yes
# FIXME: blocking AF_NETLINK causes this warning:
# [warn] Unable to call getifaddrs(): Address family not supported by protocol
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
DevicePolicy=closed
DeviceAllow=
NoNewPrivileges=yes
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RemoveIPC=yes
UMask=0077
ProtectHostname=yes
ProcSubset=pid
# apt-cacher-ng has a control socket in /run that /etc/cron.daily/apt-cacher-ng
talks to.
# Have systemd create the parent directory, so that we can confine the daemon
from doing so.
RuntimeDirectory=apt-cacher-ng
WorkingDirectory=/run/apt-cacher-ng
# Let apt-cacher-ng maintain its download cache, and create logs.
ReadWritePaths=-/var/cache/apt-cacher-ng /var/log/apt-cacher-ng
