On Thu, Feb 27, 2025 at 04:39:41PM -0800, Phil Dibowitz wrote: > Package: radvd > Version: 1:2.19-1+b1
Strange version number > Dear Maintainer, > > The unitfile for radvd should probably have: > > ``` > EnvironmentFile=-/etc/default/radvd > StartExec=/usr/sbin/radvd --logmethod stderr_clean $OPTIONS > ``` > > So that people can set command-line options. I understand the wish. > But further, we probably want the default options to include `-u radvd` > like most Debian packages - the package already sets up the user, Username _radvd is (somewhere) on the todo list. > and pre-systemd setup privelegeseparation, but this was dropped in the > systemd move. To accomplish this you'll also need to add `CAP_SETUID > CAP_SETGID` to the `CapabilityBoundingSet`. > > Finally, errors are masked as currently configured because we fork, but > expect logs on stderr. We should set the `Type` to `simple` and add > `--nodaemon` to the default OPTIONS. So something like: > > /etc/default/radvd: > ``` > OPTIONS="--logmethod stderr_clean -u radvd --nodaemon" > ``` > > /lib/systemd/system/radvd.service > ``` > # It's not recommended to modify this file in-place, because it > # will be overwritten during upgrades. If you want to customize, > # the best way is to use the "systemctl edit" command. > > [Unit] > Description=Router advertisement daemon for IPv6 > Documentation=man:radvd(8) > After=network.target > ConditionPathExists=/etc/radvd.conf > > [Service] > Type=simple > ExecStartPre=/usr/sbin/radvd $OPTIONS --configtest > ExecStart=/usr/sbin/radvd $OPTIONS > ExecReload=/usr/sbin/radvd $OPTIONS --configtest > ExecReload=/bin/kill -HUP $MAINPID > PIDFile=/run/radvd.pid > > # Set the CPU scheduling policy to idle which is for running very low > priority backg> > CPUSchedulingPolicy=idle > > # Allow for binding to low ports and doing raw network access > CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW > > # Set up a new file system namespace and mounts private /tmp and /var/tmp > directories > # so this service cannot access the global directories and other processes > cannot > # access this service's directories. > PrivateTmp=yes > > # Sets up a new /dev namespace for the executed processes and only adds API > pseudo d> > # such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY > subsystem) > > # but no physical devices such as /dev/sda. > PrivateDevices=yes > > # Mounts the /usr, /boot, and /etc directories read-only for processes > invoked by th> > ProtectSystem=full > > # The directories /home, /root and /run/user are made inaccessible and empty > for pro> > # invoked by this unit. > ProtectHome=yes > > # Ensures that the service process and all its children can never gain new > privileges > NoNewPrivileges=yes > > [Install] > WantedBy=multi-user.target > ``` > > This is roughly what I've done on my system with override files. a unified diff does make changes more visable. > Finally - I couldn't run `reportbug` from the system in question, Acknowledge on "There was an attempt" > so here's the relevant info: > > radvd: 1:2.19-1+b1 > Debian Release: 12.9 a.k.a. Bookworm > Architecture: amd64 (x86_64) > Kernel: 5.10.0-0.deb10.28-amd64 I did expect kernel version 6 something. > -- System Information: > Debian Release: trixie/sid a.k.a. 13 > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 6.12.12-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel version 6 something > Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE > Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE not set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages radvd depends on: > ii adduser 3.142 > ii libc6 2.40-7 > > radvd recommends no packages. > > radvd suggests no packages. Groeten Geert Stappers -- Silence is hard to parse
