FS#42658 - [nginx] Add more security features to nginx.service

Attached to Project: Arch Linux
Opened by Tobias Hunger (hunger) - Sunday, 02 November 2014, 13:13 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Thursday, 12 March 2015, 18:08 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Sébastien Luttringer (seblu)
Bartłomiej Piotrowski (Barthalion)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Please add more systemd hardening features to nginx.service.

The following set should be fine:
CapabilityBoundingSet=
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
RuntimeDirectory=nginx
RuntimeDirectoryMode=700


Additional info:
* nginx version 1.6.2-2

Steps to reproduce:
This task depends upon

Closed by  Bartłomiej Piotrowski (Barthalion)
Thursday, 12 March 2015, 18:08 GMT
Reason for closing:  Won't implement
Comment by Sébastien Luttringer (seblu) - Wednesday, 18 February 2015, 00:41 GMT
Why do you want to add the RuntimeDirectory option? nginx doesn't use /run/nginx.
Comment by Sébastien Luttringer (seblu) - Wednesday, 18 February 2015, 01:02 GMT
If we put CapabilityBoundingSet=, nginx will not be able to set open its sockets with ports < 1024. We need CAP_NET_BIND_SERVICE.
We also need to change the owner of log files (or let CAP_DAC_OVERRIDE).
nginx is spawning subprocess and changing its uid/gid. We need CAP_SETUID and CAP_SETGID.
Comment by Daniel Micay (thestinger) - Wednesday, 18 February 2015, 01:24 GMT
I don't think options like ProtectSystem have much value anyway. A whitelist-based approach would be nice... as blacklisting is a never ending rabbit hole and is never going to be "good enough".
Comment by Daniel Micay (thestinger) - Wednesday, 18 February 2015, 01:27 GMT
The rationale for why I never opened bugs proposing that we leverage that stuff is here:

https://wiki.archlinux.org/index.php/DeveloperWiki:Security#ReadOnly.2FReadWrite

The options like ProtectSystem are just shortcuts for specific blacklists. For example, why would nginx need write access to /home and /root? ProtectSystem doesn't take that away... it's basically security theater.
Comment by Daniel Micay (thestinger) - Wednesday, 18 February 2015, 01:28 GMT
Of course you could add ProtectHome too, but why would it need write access to *all* of /var? Lots of ways to elevate privileges via other services thanks to that, etc.

Loading...