#1032331 dictd: should use systemd security features

Package:
dictd
Source:
dictd
Description:
dictionary server
Submitter:
Russell Coker
Date:
2023-03-04 06:27:04 UTC
Severity:
normal
Tags:
#1032331#5
Date:
2023-03-04 06:25:09 UTC
From:
To:
It would be good if dictd was configure to use the systemd security features
when running on systemd systms.  The below are settings that I have tested and
found to work.

If we had dictd use all the systemd features instead of just running init.d
scripts then we could make it a little stricter, we could remove CAP_SETUID
CAP_SETGID and CAP_KILL for starters.

I know it's close to freeze, but dictd isn't a particularly complex daemon
and it won't break things badly if it has a problem.

The probability of a system being pwned via dictd is very low but it would
be good to get the "systemd-analyze security" score for Debian as low as
possible.

[Service]
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_KILL CAP_SYS_PTRACE
SystemCallFilter=~@mount @cpu-emulation @debug @raw-io @reboot @resources @swap @module @obsolete @clock
ProtectSystem=strict
ProtectProc=invisible
SystemCallArchitectures=native
DevicePolicy=closed
UMask=077
NoNewPrivileges=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectSystem=true
ProtectHome=true
PrivateTmp=true
MemoryDenyWriteExecute=true
ProtectHostname=true
LockPersonality=true
RestrictRealtime=true
RestrictSUIDSGID=true
ProtectClock=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX