diff --git a/httpd.service b/httpd.service
index c5b5e08..b75e28c 100644
--- a/httpd.service
+++ b/httpd.service
@@ -26,8 +26,25 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
# Send SIGWINCH for graceful stop
KillSignal=SIGWINCH
KillMode=mixed
-PrivateTmp=true
+DevicePolicy=closed
+KeyringMode=private
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
OOMPolicy=continue
+PrivateDevices=yes
+PrivateTmp=true
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target
diff --git a/httpd.service.xml b/httpd.service.xml
index 7dfdb97..3ddbc9e 100644
--- a/httpd.service.xml
+++ b/httpd.service.xml
@@ -231,7 +231,16 @@ Wants=network-online.target
Process policies and restrictions
- The httpd service uses the following options:
+ The httpd.service unit enables a
+ variety of sandboxing options. Many of these prevent the service
+ from changing the system configuration - such as
+ ProtectClock and
+ ProtectKernelModules. See
+ systemd.exec5
+ and
+ systemd.service5
+ for more information on these options. Particular notice should
+ be taken of the following:
PrivateTmp is enabled by
@@ -247,13 +256,14 @@ Wants=network-online.target
the policy to continue, httpd will
continue to run (and recover) if a single child is terminated
because of excess memory consumption.
-
- See
- systemd.exec5
- and
- systemd.service5
- for more information.
+ ProtectHome is set to
+ read-only by default. CGI scripts run via
+ UserDir will not be able modify any
+ content in /home by
+ default.
+
+
diff --git a/httpd.spec b/httpd.spec
index 3b40eed..b2ea95b 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -24,7 +24,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.58
-Release: 6%{?dist}
+Release: 7%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -829,6 +829,10 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
+* Mon Jan 15 2024 Rahul Sundaram - 2.4.58-7
+- Update Systemd security settings as part of https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening
+- updated httpd.service(5) (Joe Orton)
+
* Wed Jan 24 2024 Fedora Release Engineering - 2.4.58-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
diff --git a/httpd@.service b/httpd@.service
index 84424fb..8b20b90 100644
--- a/httpd@.service
+++ b/httpd@.service
@@ -19,8 +19,25 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful -f conf/%i.conf
# Send SIGWINCH for graceful stop
KillSignal=SIGWINCH
KillMode=mixed
-PrivateTmp=true
+DevicePolicy=closed
+KeyringMode=private
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
OOMPolicy=continue
+PrivateDevices=yes
+PrivateTmp=true
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target