Package: radvd Version: 1:2.19-1+b1 Severity: normal Dear Maintainer,
The unitfile for radvd should probably have: ``` EnvironmentFile=-/etc/default/radvd StartExec=/usr/sbin/radvd --logmethod stderr_clean $OPTIONS ``` So that people can set command-line options. But further, we probably want the default options to include `-u radvd` like most Debian packages - the package already sets up the user, and pre-systemd setup privelegeseparation, but this was dropped in the systemd move. To accomplish this you'll also need to add `CAP_SETUID CAP_SETGID` to the `CapabilityBoundingSet`. Finally, errors are masked as currently configured because we fork, but expect logs on stderr. We should set the `Type` to `simple` and add `--nodaemon` to the default OPTIONS. So something like: /etc/default/radvd: ``` OPTIONS="--logmethod stderr_clean -u radvd --nodaemon" ``` /lib/systemd/system/radvd.service ``` # It's not recommended to modify this file in-place, because it # will be overwritten during upgrades. If you want to customize, # the best way is to use the "systemctl edit" command. [Unit] Description=Router advertisement daemon for IPv6 Documentation=man:radvd(8) After=network.target ConditionPathExists=/etc/radvd.conf [Service] Type=simple ExecStartPre=/usr/sbin/radvd $OPTIONS --configtest ExecStart=/usr/sbin/radvd $OPTIONS ExecReload=/usr/sbin/radvd $OPTIONS --configtest ExecReload=/bin/kill -HUP $MAINPID PIDFile=/run/radvd.pid # Set the CPU scheduling policy to idle which is for running very low priority backg> CPUSchedulingPolicy=idle # Allow for binding to low ports and doing raw network access CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW # Set up a new file system namespace and mounts private /tmp and /var/tmp directories # so this service cannot access the global directories and other processes cannot # access this service's directories. PrivateTmp=yes # Sets up a new /dev namespace for the executed processes and only adds API pseudo d> # such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) > # but no physical devices such as /dev/sda. PrivateDevices=yes # Mounts the /usr, /boot, and /etc directories read-only for processes invoked by th> ProtectSystem=full # The directories /home, /root and /run/user are made inaccessible and empty for pro> # invoked by this unit. ProtectHome=yes # Ensures that the service process and all its children can never gain new privileges NoNewPrivileges=yes [Install] WantedBy=multi-user.target ``` This is roughly what I've done on my system with override files. Finally - I couldn't run `reportbug` from the system in question, so here's the relevant info: radvd: 1:2.19-1+b1 Debian Release: 12.9 Architecture: amd64 (x86_64) Kernel: 5.10.0-0.deb10.28-amd64 -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.12.12-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages radvd depends on: ii adduser 3.142 ii libc6 2.40-7 radvd recommends no packages. radvd suggests no packages.
