Package: xinetd Version: 1:2.3.15.4-4 Severity: normal Tags: patch security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html I believe that we should use some of the security features documented at the above URL for almost every daemon. The following settings should be fairly safe. While an inetd is one of those programs that tends to be configured to run all manner of programs the uses of such programs will be extremely unlikely to conflict with these reastrictions. Any program that does need such things is probably buggy to a degree that the sysadmin will want to know about it and make a deliberate decision as to whether to include it. RestrictSUIDSGID=true PrivateTmp=true UMask=077 ProtectControlGroups=true ProtectClock=true ProtectHostname=true ProtectKernelTunables=true ProtectKernelLogs=true ProtectKernelModules=true SystemCallArchitectures=native MemoryDenyWriteExecute=true RestrictNamespaces=true LockPersonality=true RestrictRealtime=true The following settings are quite useful but have a higher probability of breaking things. I think it would still be worth including them with a NEWS entry documenting the possibility of needing to change them. The ProtectHome option broke it on some of my systems so I turned that off as a temporary measure but the correct thing to do is to put all files needed by xinetd under /var/lib or something. Preventing network facing daemons from accessing home directories is a really good thing. CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE CAP_SYS_RESOURCE SystemCallFilter=~@mount @cpu-emulation @debug @raw-io @reboot @swap @module @obsolete @clock ProtectHome=true -- System Information: Debian Release: trixie/sid Architecture: amd64 (x86_64) Kernel: Linux 6.9.9-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages xinetd depends on: ii init-system-helpers 1.66 ii libc6 2.39-4 ii libselinux1 3.5-2+b3 ii libtirpc3t64 1.3.4+ds-1.3 ii libwrap0 7.6.q-33 ii netbase 6.4 xinetd recommends no packages. Versions of packages xinetd suggests: ii update-inetd 4.53 -- Configuration Files: /etc/init.d/xinetd [Errno 13] Permission denied: '/etc/init.d/xinetd' /etc/xinetd.conf changed [not included] -- debconf-show failed
