Bug#892730: nslcd: Please add systemd .service file
Trent W. Buck
trentbuck at gmail.com
Wed Oct 20 22:14:50 BST 2021
PS: the hardening bit also works as a dropin,
i.e. you can put it into /etc/systemd/system/nslcd.service.d/hardening.conf
and the rest of the unit remains auto-generated from /etc/init.d/nslcd.
Trent W. Buck wrote:
> # nslcd listens to /run/nslcd/socket and creates /run/nslcd/nslcd.pid.
> # We can tell systemd about this.
> RuntimeDirectory=nslcd
> WorkingDirectory=/run/nslcd
>
>
> # Additional security lockdown (optional).
> # $ systemd-analyze security nslcd:
> # → Overall exposure level for nslcd.service: 1.2 OK 🙂
> [Service]
> CapabilityBoundingSet=
> RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
> DevicePolicy=closed
> NoNewPrivileges=yes
> PrivateDevices=yes
> PrivateTmp=yes
> PrivateUsers=yes
> ProtectClock=yes
> ProtectControlGroups=yes
> ProtectHome=yes
> ProtectKernelLogs=yes
> ProtectKernelModules=yes
> ProtectKernelTunables=yes
> ProtectProc=invisible
> ProtectSystem=strict
> RestrictSUIDSGID=yes
> SystemCallArchitectures=native
> SystemCallFilter=@system-service
> # We can't drop @privileged because we fail with:
> # nslcd: wait_for_response(): read_response() returned 0 (expected 4)
> # nslcd: unable to daemonize: No data available
> #SystemCallFilter=~@privileged
> SystemCallFilter=~@resources
> RestrictNamespaces=yes
> RestrictRealtime=yes
> LockPersonality=yes
> MemoryDenyWriteExecute=yes
> RemoveIPC=yes
> UMask=0077
> ProtectHostname=yes
> ProcSubset=pid
More information about the Pkg-systemd-maintainers
mailing list