Bug#913605: lintian: inform about lack of systemd service hardening/security options
Andreas Henriksson
andreas at fatal.se
Mon Nov 12 21:40:06 GMT 2018
Package: lintian
Version: 2.5.112
Severity: normal
Dear Maintainer,
I think it would be useful if we got some more widespread usage of the
security features available in systemd service units.
I'm not sure how to properly check if a service uses a good amount
hardening/security options, but I think currently there's enough
services in debian that uses *none* that it's probably useful to just
check and warn about that. Hopefully once a maintainer starts looking
at this at all (s)he will discover and use more than one. Hopefully also
starting a discussion with their upstream which might even improve and
refine further for upcoming releases. One can always dream right?
Maybe in the future lintian can leverage something of the recently
implemented things in systemd tooling that was recently mentioned at:
https://twitter.com/pid_eins/status/1060881595106762752
(and other previous tweets)
As a start for now we could do something like:
grep -qE '^#?P(protect|rivate)' $FOOSERVICE || echo "Please enable some security options for your service"
Relevant links to show in the lintian tag:
http://0pointer.de/blog/projects/security.html
https://www.freedesktop.org/software/systemd/man/systemd.exec.html
man:systemd.exec(5)
While working with these security options is much easier than using
something like selinux or apparmour, there's still potential for
getting things wrong. I think it would be useful to mention in the
lintian tag description that people should collaborate with their
upstreams about the changes (and in general upstream their service
files rather than carry them in debian/*.service).
Regards,
Andreas Henriksson
More information about the Pkg-systemd-maintainers
mailing list