Commits on Jun 20, 2022

1. opendkim.service: harden systemd service …

   The current opendkim.service file is not hardened, and
   `systemd-analyze security opendkim.service` reports an
   "UNSAFE" exposure level of 9.6.
   
   With the help of that tool I've applied some more security hardenings
   to the unit file, and the exposure level dropped to an amazing 1.1!
   
   Some of the most notable changes include:
   
   - Setting ProtectSystem= to strict, so that the entire file system is
     mounted read-only; users can allow-list writable paths by overriding
     the config with `systemctl edit opendkim.service`, but it shouldn't
     be needed. OpenDKIM doesn't modify files at all, and only creates a
     unix socket at startup, usually in /run/opendkim/opendkim.socket or
     /var/spool/postfix/opendkim/opendkim.socket. Both paths are allowed
     by default.
   
   - Denying execution of system binaries with NoExecPaths=/, and only
     allowing the opendkim binary itself with
     ExecPaths=/usr/sbin/opendkim, so that if an attacker is able to gain
     access to OpenDKIM they won't be able to do much, if anything, as
     spawing shells, listing files, etc won't be allowed, making RCE
     vulnerabilities much harder to exploit.
   
   - Making home directories inaccessible with ProtectHome=true
   
   - Hiding all the users of the system, with PrivateUsers=true
   
   - Restricting the kind of permitted system calls with
     SystemCallFilter=@System-service and
     SystemCallFilter=~ @PRIVILEGED @resources

   

   Tachi107 committed Jun 20, 2022
   Configuration menu

   • View commit details
   • Copy full SHA for 25c4b80
   • Browse repository at this point

   Copy the full SHA

   25c4b80 View commit details

   Browse the repository at this point in the history