FS#42658 - [nginx] Add more security features to nginx.service
Attached to Project:
Arch Linux
Opened by Tobias Hunger (hunger) - Sunday, 02 November 2014, 13:13 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Thursday, 12 March 2015, 18:08 GMT
Opened by Tobias Hunger (hunger) - Sunday, 02 November 2014, 13:13 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Thursday, 12 March 2015, 18:08 GMT
|
Details
Description:
Please add more systemd hardening features to nginx.service. The following set should be fine: CapabilityBoundingSet= PrivateTmp=true ProtectSystem=full NoNewPrivileges=true RuntimeDirectory=nginx RuntimeDirectoryMode=700 Additional info: * nginx version 1.6.2-2 Steps to reproduce: |
This task depends upon
Closed by Bartłomiej Piotrowski (Barthalion)
Thursday, 12 March 2015, 18:08 GMT
Reason for closing: Won't implement
Thursday, 12 March 2015, 18:08 GMT
Reason for closing: Won't implement
We also need to change the owner of log files (or let CAP_DAC_OVERRIDE).
nginx is spawning subprocess and changing its uid/gid. We need CAP_SETUID and CAP_SETGID.
https://wiki.archlinux.org/index.php/DeveloperWiki:Security#ReadOnly.2FReadWrite
The options like ProtectSystem are just shortcuts for specific blacklists. For example, why would nginx need write access to /home and /root? ProtectSystem doesn't take that away... it's basically security theater.