From dee54cd734ac9fb909a122b141005210c218dbfd Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Thu, 7 Mar 2024 13:04:06 +0000 Subject: [PATCH] - Updated Systemd security settings (closes #3) (Rahul Sundaram) - updated httpd.service(5) man page (Joe Orton) --- httpd.service | 19 ++++++++++++++++++- httpd.service.xml | 24 +++++++++++++++++------- httpd.spec | 6 +++++- httpd@.service | 19 ++++++++++++++++++- 4 files changed, 58 insertions(+), 10 deletions(-) diff --git a/httpd.service b/httpd.service index c5b5e08..b75e28c 100644 --- a/httpd.service +++ b/httpd.service @@ -26,8 +26,25 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful # Send SIGWINCH for graceful stop KillSignal=SIGWINCH KillMode=mixed -PrivateTmp=true +DevicePolicy=closed +KeyringMode=private +LockPersonality=yes +MemoryDenyWriteExecute=yes OOMPolicy=continue +PrivateDevices=yes +PrivateTmp=true +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=read-only +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=yes +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native [Install] WantedBy=multi-user.target diff --git a/httpd.service.xml b/httpd.service.xml index 7dfdb97..3ddbc9e 100644 --- a/httpd.service.xml +++ b/httpd.service.xml @@ -231,7 +231,16 @@ Wants=network-online.target Process policies and restrictions - The httpd service uses the following options: + The httpd.service unit enables a + variety of sandboxing options. Many of these prevent the service + from changing the system configuration - such as + ProtectClock and + ProtectKernelModules. See + systemd.exec5 + and + systemd.service5 + for more information on these options. Particular notice should + be taken of the following: PrivateTmp is enabled by @@ -247,13 +256,14 @@ Wants=network-online.target the policy to continue, httpd will continue to run (and recover) if a single child is terminated because of excess memory consumption. - - See - systemd.exec5 - and - systemd.service5 - for more information. + ProtectHome is set to + read-only by default. CGI scripts run via + UserDir will not be able modify any + content in /home by + default. + + diff --git a/httpd.spec b/httpd.spec index 3b40eed..b2ea95b 100644 --- a/httpd.spec +++ b/httpd.spec @@ -24,7 +24,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.58 -Release: 6%{?dist} +Release: 7%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -829,6 +829,10 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Mon Jan 15 2024 Rahul Sundaram - 2.4.58-7 +- Update Systemd security settings as part of https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening +- updated httpd.service(5) (Joe Orton) + * Wed Jan 24 2024 Fedora Release Engineering - 2.4.58-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild diff --git a/httpd@.service b/httpd@.service index 84424fb..8b20b90 100644 --- a/httpd@.service +++ b/httpd@.service @@ -19,8 +19,25 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful -f conf/%i.conf # Send SIGWINCH for graceful stop KillSignal=SIGWINCH KillMode=mixed -PrivateTmp=true +DevicePolicy=closed +KeyringMode=private +LockPersonality=yes +MemoryDenyWriteExecute=yes OOMPolicy=continue +PrivateDevices=yes +PrivateTmp=true +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=read-only +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=yes +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native [Install] WantedBy=multi-user.target