opendkim.service: harden systemd service #154
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The current opendkim.service file is not hardened, and `systemd-analyze security opendkim.service` reports an "UNSAFE" exposure level of 9.6. With the help of that tool I've applied some more security hardenings to the unit file, and the exposure level dropped to an amazing 1.1! Some of the most notable changes include: - Setting ProtectSystem= to strict, so that the entire file system is mounted read-only; users can allow-list writable paths by overriding the config with `systemctl edit opendkim.service`, but it shouldn't be needed. OpenDKIM doesn't modify files at all, and only creates a unix socket at startup, usually in /run/opendkim/opendkim.socket or /var/spool/postfix/opendkim/opendkim.socket. Both paths are allowed by default. - Denying execution of system binaries with NoExecPaths=/, and only allowing the opendkim binary itself with ExecPaths=/usr/sbin/opendkim, so that if an attacker is able to gain access to OpenDKIM they won't be able to do much, if anything, as spawing shells, listing files, etc won't be allowed, making RCE vulnerabilities much harder to exploit. - Making home directories inaccessible with ProtectHome=true - Hiding all the users of the system, with PrivateUsers=true - Restricting the kind of permitted system calls with SystemCallFilter=@System-service and SystemCallFilter=~ @PRIVILEGED @resources
|
@mdomsch how does this look to you? |
stokito
approved these changes
Oct 19, 2022
|
I missed this while I was in process of moving this summer. The ExecPaths may need to also include /usr/sbin/sendmail and /bin/sh as OpenDKIM can popen() sendmail to send success/failure reports to the standardized reporting addresses. I've been working with the Fedora SELinux team to add a SELinux policy which allows opendkim to invoke sendmail. Any Systemd restrictive wrappers needs to allow this as well. |
|
I should note, which mail submission tool to use is configurable in opendkim.conf. By default it's sendmail. The SELinux policy will allow sendmail, exim, postfix, and courier. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current
opendkim.servicefile is not hardened, andsystemd-analyze security opendkim.servicereports an "UNSAFE" exposure level of 9.6.With the help of that tool I've applied some more security hardenings to the unit file, and the exposure level dropped to an amazing 1.1!
Some of the most notable changes include:
Setting
ProtectSystem=tostrict, so that the entire file system is mounted read-only; users can allow-list writable paths by overriding the config withsystemctl edit opendkim.service, but it shouldn't be needed. OpenDKIM doesn't modify files at all, and only creates a unix socket at startup, usually in/run/opendkim/opendkim.socketor/var/spool/postfix/opendkim/opendkim.socket. Both paths are allowed by default.Denying execution of system binaries with
NoExecPaths=/, and only allowing theopendkimbinary itself withExecPaths=/usr/sbin/opendkim, so that if an attacker is able to gain access to OpenDKIM they won't be able to do much, if anything, as spawing shells, listing files, etc won't be allowed, making RCE vulnerabilities much harder to exploit.Making home directories inaccessible with
ProtectHome=trueHiding all the users of the system, with
PrivateUsers=trueRestricting the kind of permitted system calls with
SystemCallFilter=@system-serviceandSystemCallFilter=~ @privileged @resourcesPorted from https://salsa.debian.org/debian/opendkim/-/merge_requests/3
Related to #146