opendkim.service: harden systemd service #154
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current
opendkim.service
file is not hardened, andsystemd-analyze security opendkim.service
reports an "UNSAFE" exposure level of 9.6.With the help of that tool I've applied some more security hardenings to the unit file, and the exposure level dropped to an amazing 1.1!
Some of the most notable changes include:
Setting
ProtectSystem=
tostrict
, so that the entire file system is mounted read-only; users can allow-list writable paths by overriding the config withsystemctl edit opendkim.service
, but it shouldn't be needed. OpenDKIM doesn't modify files at all, and only creates a unix socket at startup, usually in/run/opendkim/opendkim.socket
or/var/spool/postfix/opendkim/opendkim.socket
. Both paths are allowed by default.Denying execution of system binaries with
NoExecPaths=/
, and only allowing theopendkim
binary itself withExecPaths=/usr/sbin/opendkim
, so that if an attacker is able to gain access to OpenDKIM they won't be able to do much, if anything, as spawing shells, listing files, etc won't be allowed, making RCE vulnerabilities much harder to exploit.Making home directories inaccessible with
ProtectHome=true
Hiding all the users of the system, with
PrivateUsers=true
Restricting the kind of permitted system calls with
SystemCallFilter=@system-service
andSystemCallFilter=~ @privileged @resources
Ported from https://salsa.debian.org/debian/opendkim/-/merge_requests/3
Related to #146