rpms / httpd

Clone
Source Code
GIT

#40 Update Systemd settings
Closed 2 months ago by sundaram. Opened 4 months ago by sundaram.
rpms/ sundaram/httpd rawhide  into  rawhide

Update Systemd security settings
Rahul Sundaram • 4 months ago  
f34068a
file modified
+21 -3 
@@ -20,14 +20,32 @@ 
 

  [Service]
 

  Type=notify
 

  Environment=LANG=C
 

- 

  ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
 

  ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
 

+ DevicePolicy=closed
 

+ KeyringMode=private
 

+ KillMode=mixed
 

  # Send SIGWINCH for graceful stop
 

  KillSignal=SIGWINCH
 

- KillMode=mixed
 

- PrivateTmp=true
 

+ LockPersonality=yes
 

+ MemoryDenyWriteExecute=yes
 

  OOMPolicy=continue
 

+ PrivateDevices=yes
 

+ PrivateTmp=true
 

+ ProtectClock=yes
 

+ ProtectControlGroups=yes
 

+ ProtectHome=read-only
 

+ ProtectHostname=yes
 

+ ProtectKernelLogs=yes
 

+ ProtectKernelModules=yes
 

+ ProtectKernelTunables=yes
 

+ ProtectProc=invisible
 

+ ProtectSystem=yes
 

+ RemoveIPC=yes
 

+ RestrictNamespaces=yes
 

+ RestrictRealtime=yes
 

+ RestrictSUIDSGID=yes
 

+ SystemCallArchitectures=native
 

  

  [Install]
 

  WantedBy=multi-user.target

file modified
+4 -1 
@@ -24,7 +24,7 @@ 
 

  Summary: Apache HTTP Server
 

  Name: httpd
 

  Version: 2.4.58
 

- Release: 4%{?dist}
 

+ Release: 5%{?dist}
 

  URL: https://httpd.apache.org/
 

  Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 

  Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
 
@@ -829,6 +829,9 @@ 
 

  %{_rpmconfigdir}/macros.d/macros.httpd
 

  

  %changelog
 

+ * Mon Jan 15 2024 Rahul Sundaram <sundaram@fedoraproject.org> - 2.4.58-5
 

+ - Update Systemd security settings as part of https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening
 

+ 

  * Fri Jan  5 2024 Joe Orton <jorton@redhat.com> - 2.4.58-4
 

  - fix OpenSSL 3.0 deprecation warnings (r1913912, r1915067)
 

  - mod_ssl: move to provider API for pkcs11 support (#2253014)

Hello Joe, As part of https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening which has been approved for Fedora 40, I am working on updating Systemd services to add additional hardening settings, please review this PR and let me know if you have any feedback. Everything here works with the default httpd configuration and should be safe for upgrades as well. Thanks

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/2904c831c2494582836a727a44d646ef

1 new commit added

  • Update Systemd settings
4 months ago

1 new commit added

  • Update Systemd settings
4 months ago

1 new commit added

  • Update System settings to include ProtectSystem
4 months ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/d2d772fa5f004f8a9340f120682cd178

Looks like this broke a bunch of tests. I think the common factor is the ones using CGI scripts, so maybe back out anything to do with changing privileges and try again?

ProtectHome=yes will break /~user/ (UserDir)

1 new commit added

  • Update System settings to retry tests
4 months ago

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/c8ab6069979349afa29e9b788f9acf29

1 new commit added

  • Sort the settings for better readability
4 months ago

I have dropped a couple of settings (NoNewPrivileges and MemoryDenyWriteExecute) to make the tests happy. I have updated ProtectHome to be read-only to avoid upgrade disruptions. Sorted the settings for better readability. Let me know if that looks better.

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/bd8728717fa54a298f87f55c71824714

Thanks for updating the PR, can you squash it please?

I haven't forgotten about this, but I am still concerned about possible regressions. I will try to get a build through the RHEL test suite which has much better coverage than what we have in Fedora today.

This ended up with a a duplicate ProtectHostname=yes

Forgot to say - otherwise yes, thanks - fixed the CI so the more conservative set of options is clearly better.

1 new commit added

  • Test NoNewPrivileges
4 months ago

I will test which one of these settings actually break the build, clean up the duplicates and then squash the commits. You can run it through your internal RHEL test suites for regressions and merge after that. Appreciate the followups.

1 new commit added

  • Test MemoryDenyWriteExecute
4 months ago

rebased onto f34068a
4 months ago

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/6c0632b6a5c2459b97eb67d63e508d09

We should be all set here

Any update on this?

Pull-Request has been closed by sundaram
2 months ago

For the record, while this PR wasn't directly merged, it was essentially merged with some modifications as part of https://src.fedoraproject.org/rpms/httpd/c/dee54cd734ac9fb909a122b141005210c218dbfd?branch=rawhide. Fedora 40 update is available at
https://bodhi.fedoraproject.org/updates/FEDORA-2024-34e9232e25
Metadata
None
No Tags
Changes Summary 2
+21 -3
file changed
httpd.service
+4 -1
file changed
httpd.spec
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.