- Updated Systemd security settings (closes #3) (Rahul Sundaram)

- updated httpd.service(5) man page (Joe Orton)

httpd.service

@@ -26,8 +26,25 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
 # Send SIGWINCH for graceful stop
 KillSignal=SIGWINCH
 KillMode=mixed
-PrivateTmp=true
+DevicePolicy=closed
+KeyringMode=private
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
 OOMPolicy=continue
+PrivateDevices=yes
+PrivateTmp=true
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target

httpd.service.xml

@@ -231,7 +231,16 @@ Wants=network-online.target</programlisting>
     <refsect2>
       <title>Process policies and restrictions</title>
 
-      <para>The httpd service uses the following options:
+      <para>The <command>httpd.service</command> unit enables a
+      variety of sandboxing options. Many of these prevent the service
+      from changing the system configuration - such as
+      <emphasis>ProtectClock</emphasis> and
+      <emphasis>ProtectKernelModules</emphasis>. See
+      <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+      and
+      <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+      for more information on these options. Particular notice should
+      be taken of the following:
 
       <itemizedlist>
         <listitem><para><emphasis>PrivateTmp</emphasis> is enabled by
@@ -247,13 +256,14 @@ Wants=network-online.target</programlisting>
         the policy to <emphasis>continue</emphasis>, httpd will
         continue to run (and recover) if a single child is terminated
         because of excess memory consumption.</para></listitem>
-      </itemizedlist>
 
-      See
-      <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-      and
-      <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-      for more information.</para>
+        <listitem><para><emphasis>ProtectHome</emphasis> is set to
+        <emphasis>read-only</emphasis> by default. CGI scripts run via
+        <emphasis>UserDir</emphasis> will not be able modify any
+        content in <filename>/home</filename> by
+        default.</para></listitem>
+      </itemizedlist></para>
+
     </refsect2>
 
     <refsect2>

httpd.spec

@@ -24,7 +24,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.58
-Release: 6%{?dist}
+Release: 7%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -829,6 +829,10 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Mon Jan 15 2024 Rahul Sundaram <sundaram@fedoraproject.org> - 2.4.58-7
+- Update Systemd security settings as part of https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening
+- updated httpd.service(5) (Joe Orton)
+
 * Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.58-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 

httpd@.service

@@ -19,8 +19,25 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful -f conf/%i.conf
 # Send SIGWINCH for graceful stop
 KillSignal=SIGWINCH
 KillMode=mixed
-PrivateTmp=true
+DevicePolicy=closed
+KeyringMode=private
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
 OOMPolicy=continue
+PrivateDevices=yes
+PrivateTmp=true
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target