diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in index 9795807..a3f65e0 100644 --- a/systemd/gssproxy.service.in +++ b/systemd/gssproxy.service.in @@ -5,7 +5,8 @@ After=syslog.target network.target Before=rpc-gssd.service [Service] -StateDirectory=gssproxy/clients gssproxy/rcache +ConfigurationDirectory=gssproxy +StateDirectory=gssproxy gssproxy/clients gssproxy/rcache Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache ExecStart=@sbindir@/gssproxy -i # This can be changed to notify-reload and ExecReload= can be removed once @@ -13,22 +14,50 @@ ExecStart=@sbindir@/gssproxy -i Type=notify ExecReload=/bin/kill -HUP $MAINPID -ProtectSystem=full -ProtectClock=true -ProtectKernelLogs=true -ProtectControlGroups=true -RestrictRealtime=true -# NoNewPrivileges: when true breaks the ability to open a socket -# under /var/lib/gssproxy so no NoNewPrivileges -# PrivateTmp: can't be used as it hides ccaches stored in /tmp -# ProtectHome: blocks access to /home which may hold ccaches -# ProtectHostname: blocks propagation of hostname on change -# but in some cases, when using a keytab, we may want to see hostname -# changes as the server will want to respond only for the system name -# ProtectKernelTunables: blocks ability to write to proc. -# on startup gssproxy needs to write in proc to let nfsd know it can -# use the "new" gssproxy method instead of the old rpc stuff. - +ProtectSystem=strict +PrivateDevices=yes +PrivateNetwork=yes +PrivateIPC=yes +# Blocks access to /home which may hold ccaches, also breaks euid mappings +PrivateUsers=no +# For now, read-writeable ccaches in /tmp, /root, /home and /run/user are +# allowed, if you know that no such ccaches are used on your system, you might +# want to override these defaults with a drop-in (see man systemd.unit(5)) +# like this (stored in e.g. /etc/systemd/system/gssproxy.d/override.conf): +# [Service] +# PrivateTmp=yes +# ProtectHome=tmpfs +# ReadWritePaths= +PrivateTmp=no +ProtectHome=no +ReadWritePaths=/root /home /run/user +# Blocks propagation of hostname on change but when using a keytab, we want to +# see hostname changes as the server will want to respond only for that name +ProtectHostname=no +ProtectClock=yes +# Does *not* block rw access to /proc/net/rpc/use-gss-proxy +ProtectKernelTunables=yes +# Blocks access to /proc/net/rpc/use-gss-proxy and executable name matching +ProtectProc=default +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX AF_LOCAL +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +PrivateMounts=yes +# Stricter version: +# SystemCallFilter=@default @basic-io @file-system @io-event @network-io @signal @ipc @process madvise umask uname +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native +NoNewPrivileges=yes +CapabilityBoundingSet=CAP_DAC_OVERRIDE +IPAddressDeny=any +UMask=0177 [Install] WantedBy=multi-user.target