 |
 |
Hi,
The security team at openSUSE recommend strengthening the security of xrootd's systemd services by making certain additions to its service files. These look like the following, for example, and similarly for the other service files:
Index: [log in to unmask]
===================================================================
--- [log in to unmask]
+++ [log in to unmask]
@@ -6,6 +6,17 @@ Requires=network-online.target
After=network-online.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
ExecStart=/usr/bin/xrootd -l /var/log/xrootd/xrootd.log -c /etc/xrootd/xrootd-%i.cfg -k fifo -s /run/xrootd/xrootd-%i.pid -n %i
User=xrootd
Group=xrootdPlease let us know if you find these options or specifically any of these options useful, and I can submit patches. Fwiw, we already have had these patches applied on our openSUSE packages for a while (since Jan 2022) now. More details are here.
openSUSE packages are here: https://build.opensuse.org/package/show/openSUSE:Factory/xrootd
Thanks in advance.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1