Print

Print


Hi,
The security team at openSUSE recommend strengthening the security of xrootd's systemd services by making certain additions to its service files. These look like the following, for example, and similarly for the other service files:

```patch
Index: [log in to unmask]
===================================================================
--- [log in to unmask]
+++ [log in to unmask]
@@ -6,6 +6,17 @@ Requires=network-online.target
 After=network-online.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
 ExecStart=/usr/bin/xrootd -l /var/log/xrootd/xrootd.log -c /etc/xrootd/xrootd-%i.cfg -k fifo -s /run/xrootd/xrootd-%i.pid -n %i
 User=xrootd
 Group=xrootd
```


Please let us know if you find these options or specifically any of these options useful, and I can submit patches. Fwiw, we already have had these patches applied on our openSUSE packages for a while (since Jan 2022) now. More details are [here](https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort).

openSUSE packages are here: <https://build.opensuse.org/package/show/openSUSE:Factory/xrootd>

Thanks in advance.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/2033
You are receiving this because you are subscribed to this thread.

Message ID: <[log in to unmask]>

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1