Debian Bug report logs - #863841
Enable systemd hardening options for named

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Enable systemd hardening options for named

Date: Wed, 31 May 2017 13:26:41 -0700

Package: bind9
Version: 1:9.10.3.dfsg.P4-12.3
Severity: wishlist

BIND named is a great candidate for enabling systemd hardening features,
since it has very limited required access to the local file system and
a long history of security issues due to its complexity.

I'm currently using the following settings on jessie without any impact,
although I'm not using dynamic DNS or a few other things that may make
a difference.  jessie had much more limited options; there are other
options now available in newer systemd, and I didn't start looking at
system call filtering.

CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=full

CAP_DAC_OVERRIDE is required for rndc to read /etc/bind/rndc.key; a
possible alternative would be to find a way to run it as the bind user
instead.  It's possible that you could drop CAP_SETGID and CAP_SETUID
and instead let systemd switch to the bind user, and put
CAP_NET_BIND_SERVICE into the ambient capability set instead so that it
can still bind to a low-numbered port.

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bind9 depends on:
ii  adduser                3.115
ii  bind9utils             1:9.10.3.dfsg.P4-12.3
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  libbind9-140           1:9.10.3.dfsg.P4-12.3
ii  libc6                  2.24-11
ii  libcap2                1:2.25-1
ii  libcomerr2             1.43.4-2
ii  libdns162              1:9.10.3.dfsg.P4-12.3
ii  libgeoip1              1.6.9-4
ii  libgssapi-krb5-2       1.15-1
ii  libirs141              1:9.10.3.dfsg.P4-12.3
ii  libisc160              1:9.10.3.dfsg.P4-12.3
ii  libisccc140            1:9.10.3.dfsg.P4-12.3
ii  libisccfg140           1:9.10.3.dfsg.P4-12.3
ii  libk5crypto3           1.15-1
ii  libkrb5-3              1.15-1
ii  liblwres141            1:9.10.3.dfsg.P4-12.3
ii  libssl1.0.2            1.0.2l-1
ii  libxml2                2.9.4+dfsg1-2.2
ii  lsb-base               9.20161125
ii  net-tools              1.60+git20161116.90da8a0-1
ii  netbase                5.4

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind9-doc   <none>
ii  dnsutils    1:9.10.3.dfsg.P4-12.3
pn  resolvconf  <none>
pn  ufw         <none>

-- debconf information:
  bind9/start-as-user: bind
  bind9/different-configuration-file:
  bind9/run-resolvconf: false

Message #10 received at 863841@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@birkenwald.de>

To: 863841@bugs.debian.org

Subject: Re: Enable systemd hardening options for named

Date: Wed, 13 Dec 2017 19:54:40 +0100

FTR, these are the "others" using (just as a reference, I think we can
easily add more):

Fedora/RHEL:
https://src.fedoraproject.org/rpms/bind/blob/master/f/named.service
PrivateTmp=true

SLES:
Unknown, but https://build.opensuse.org/package/revisions/network/bind
sports a nice "Add back init scripts, systemd units aren't ready yet"

Gentoo:
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-dns/bind/files/named.service-r1
nothing

Arch:
https://git.archlinux.org/svntogit/packages.git/tree/trunk/named.service?h=packages/bind
nothing

The only thing I can think of that might interfere with this is
chrooting the named daemon, which is possible with the "-t" command line
option. We do this to run multiple instances without the need to specify
the full path to the configuration file. I will test this in the
upcoming days.

Bernhard

Message #15 received at 863841@bugs.debian.org (full text, mbox, reply):

From: Simon Deziel <simon@sdeziel.info>

To: 863841@bugs.debian.org

Subject: Re: Enable systemd hardening options for named

Date: Wed, 13 Dec 2017 14:38:12 -0500

[Message part 1 (text/plain, inline)]

Hi,

It would be really nice to have those hardening options used. I use them
locally on Ubuntu. Please note that the Private*/Protect* options (using
the mount namespace) require this change to the Apparmor profile:

-/usr/sbin/named {
+/usr/sbin/named flags=(attach_disconnected) {

Thanks,
Simon

[signature.asc (application/pgp-signature, attachment)]

Message #20 received at 863841@bugs.debian.org (full text, mbox, reply):

From: Simon Deziel <simon@sdeziel.info>

To: 863841@bugs.debian.org

Subject: Re: Enable systemd hardening options for named

Date: Mon, 29 Jan 2018 11:18:47 -0500

[Message part 1 (text/plain, inline)]

Hi,

In addition to what Russ proposed to add, I've been running with those
additional restrictions:

SystemCallArchitectures=native
# note: AF_NETLINK is needed for getifaddrs(3)
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK

They are available on older systemd versions so they shouldn't cause
problems with backports. I tested with systemd 229 (Xenial).

Regards,
Simon

P.S: flags=(attach_disconnected) is still needed for Apparmor.

[signature.asc (application/pgp-signature, attachment)]

Message #25 received at 863841@bugs.debian.org (full text, mbox, reply):

From: Ludovic Gasc <gmludo@gmail.com>

To: 863841@bugs.debian.org

Subject: Re: Enable systemd hardening options for named

Date: Thu, 1 Feb 2018 09:44:07 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Mon, 29 Jan 2018 11:18:47 -0500 Simon Deziel <simon@sdeziel.info> wrote:
> SystemCallArchitectures=native
> # note: AF_NETLINK is needed for getifaddrs(3)
> RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK

I'm also working to increase the security of bind via systemd without MAC
enabled, I have integrated your suggestions.
FYI, I have discussed about this on bind mailing-list to validate the unit
file, the complete discussion:
https://lists.isc.org/pipermail/bind-users/2018-January/099437.html

Below, the actual unit file, I'm using on our production.
If you have extra suggestions, I'm interested in.

How I could send a merge request ?
I have found the file in Git:
https://anonscm.debian.org/git/pkg-dns/bind9.git/tree/debian/bind9.service
I send a patch on the Debian-DNS mailing-list ?

Regards

[Unit]
After=network-online.target

[Service]
Type=simple
TimeoutSec=25
Restart=always
RestartSec=1
User=bind
Group=bind
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
SystemCallFilter=~@mount @debug acct modify_ldt add_key adjtimex
clock_adjtime delete_module fanotify_init finit_module get_mempolicy
init_module io_destroy io_getevents iopl ioperm io_setup io_submit
io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages
open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace
remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
LimitCORE=infinity
LimitNOFILE=65535
NoNewPrivileges=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
RestrictRealtime=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
ReadOnlyPaths=/sys
InaccessiblePaths=/home
InaccessiblePaths=/opt
InaccessiblePaths=/root
ReadWritePaths=/run/named
ReadWritePaths=/var/cache/bind
ReadWritePaths=/var/lib/bind

[Message part 2 (text/html, inline)]

Message #30 received at 863841@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: Ludovic Gasc <gmludo@gmail.com>, 863841@bugs.debian.org

Subject: Re: [Pkg-dns-devel] Bug#863841: Enable systemd hardening options for named

Date: Thu, 01 Feb 2018 16:06:34 +0100

Here:

https://salsa.debian.org/dns-team/bind9.git (and future https://salsa.debian.org/dns-team/bind.git), you'll probably need an guest account that could be created here: https://signup.salsa.debian.org/

Ondrej
-- 
Ondřej Surý <ondrej@sury.org>

On Thu, Feb 1, 2018, at 09:44, Ludovic Gasc wrote:
> Hi,
> 
> On Mon, 29 Jan 2018 11:18:47 -0500 Simon Deziel <simon@sdeziel.info> wrote:
> > SystemCallArchitectures=native
> > # note: AF_NETLINK is needed for getifaddrs(3)
> > RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
> 
> I'm also working to increase the security of bind via systemd without MAC
> enabled, I have integrated your suggestions.
> FYI, I have discussed about this on bind mailing-list to validate the unit
> file, the complete discussion:
> https://lists.isc.org/pipermail/bind-users/2018-January/099437.html
> 
> Below, the actual unit file, I'm using on our production.
> If you have extra suggestions, I'm interested in.
> 
> How I could send a merge request ?
> I have found the file in Git:
> https://anonscm.debian.org/git/pkg-dns/bind9.git/tree/debian/bind9.service
> I send a patch on the Debian-DNS mailing-list ?
> 
> Regards
> 
> [Unit]
> After=network-online.target
> 
> [Service]
> Type=simple
> TimeoutSec=25
> Restart=always
> RestartSec=1
> User=bind
> Group=bind
> CapabilityBoundingSet=CAP_NET_BIND_SERVICE
> AmbientCapabilities=CAP_NET_BIND_SERVICE
> SystemCallFilter=~@mount @debug acct modify_ldt add_key adjtimex
> clock_adjtime delete_module fanotify_init finit_module get_mempolicy
> init_module io_destroy io_getevents iopl ioperm io_setup io_submit
> io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages
> open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace
> remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice
> RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
> LimitCORE=infinity
> LimitNOFILE=65535
> NoNewPrivileges=true
> SystemCallArchitectures=native
> MemoryDenyWriteExecute=true
> RestrictRealtime=true
> PrivateDevices=true
> PrivateTmp=true
> ProtectHome=true
> ProtectSystem=strict
> ProtectKernelModules=true
> ProtectKernelTunables=true
> ProtectControlGroups=true
> ReadOnlyPaths=/sys
> InaccessiblePaths=/home
> InaccessiblePaths=/opt
> InaccessiblePaths=/root
> ReadWritePaths=/run/named
> ReadWritePaths=/var/cache/bind
> ReadWritePaths=/var/lib/bind
> _______________________________________________
> pkg-dns-devel mailing list
> pkg-dns-devel@lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-dns-devel

Message #35 received at 863841@bugs.debian.org (full text, mbox, reply):

From: Ludovic Gasc <gmludo@gmail.com>

To: Ondřej Surý <ondrej@sury.org>

Cc: 863841@bugs.debian.org

Subject: Re: [Pkg-dns-devel] Bug#863841: Enable systemd hardening options for named

Date: Wed, 7 Feb 2018 23:46:44 +0100

[Message part 1 (text/plain, inline)]

Done: https://salsa.debian.org/dns-team/bind9/merge_requests/1

Do I need to send also a merge request on:
https://salsa.debian.org/dns-team/bind ?

Thanks for your remarks.

[Message part 2 (text/html, inline)]

Message #40 received at 863841@bugs.debian.org (full text, mbox, reply):

From: Ludovic Gasc <gmludo@gmail.com>

To: 863841@bugs.debian.org

Subject: Merge request status ?

Date: Thu, 29 Mar 2018 22:48:15 +0200

[Message part 1 (text/plain, inline)]

Hi,

Is somebody could review my merge request ?

Thank you a lot :-)
--
Ludovic Gasc (GMLudo)

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.