HI!
(I hope this posting is on-topic here since I didn't find a
systemd-users mailing list.)
I'm trying to use SocketBindAllow= and SocketBindDeny= in service units
to limit the ports a network service can bind to.
My goal: Services normally not binding to a TCP or UDP socket at all
should immediately fail in case an attacker managed to hijack the
service for spawning up a rogue service.
I've added settings to allow binding to any IPv4 and IPv6 address but
only on TCP ports 80 and 443:
SocketBindAllow=ipv4:tcp:80
SocketBindAllow=ipv4:tcp:443
SocketBindAllow=ipv6:tcp:80
SocketBindAllow=ipv6:tcp:443
[..]
SocketBindDeny=any
The service still works. Fine.
For testing I change the allowed ports to invalid port values like this:
SocketBindAllow=ipv4:tcp:81
SocketBindAllow=ipv4:tcp:444
SocketBindAllow=ipv6:tcp:81
SocketBindAllow=ipv6:tcp:444
With this I'd expect the service to fail. But it still runs and binds to
ports 80 and 443.
Is my configuration wrong (find complete service file below)?
Or is my expectation that the service should fail wrong?
I'm using systemd 249 on openSUSE Tumbleweed which has a couple of patches:
https://build.opensuse.org/package/show/Base:System/systemd
Ciao, Michael.
# /etc/systemd/system/ae-apache.service
#-----------------------------------------------------------------------
# initiate: systemctl enable ae-apache.service
# start: systemctl start ae-apache.service
# get status: systemctl status ae-apache.service
#
# Ansible managed: ansible-example-site/master
#-----------------------------------------------------------------------
[Unit]
Description=AE-DIR Apache web server
Requires=local-fs.target network.target
After=local-fs.target network.target
[Service]
Type=simple
Environment=APACHE_PID_FILE=/run/ae-dir/apache/apache.pid
PIDFile=/run/ae-dir/apache/apache.pid
User=ae-dir-httpd
Group=ae-dir-httpd
UMask=0027
ExecStart=/usr/sbin/httpd-event -DSYSTEMD -DFOREGROUND -f
/opt/ae-dir/etc/apache2.conf -k start
ExecReload=/usr/sbin/httpd-event -DSYSTEMD -DFOREGROUND -f
/opt/ae-dir/etc/apache2.conf -k graceful
ExecStop=/usr/sbin/httpd-event -DSYSTEMD -DFOREGROUND -f
/opt/ae-dir/etc/apache2.conf -k graceful-stop
WorkingDirectory=/run/ae-dir/apache
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
SocketBindAllow=ipv4:tcp:81
SocketBindAllow=ipv4:tcp:444
SocketBindAllow=ipv6:tcp:81
SocketBindAllow=ipv6:tcp:444
# various hardening options from ansible var aedir_systemd_hardening
UMask=0077
SocketBindDeny=any
PrivateUsers=no
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectProc=invisible
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectClock=yes
NoNewPrivileges=yes
MountFlags=private
SystemCallArchitectures=native
LockPersonality=yes
KeyringMode=private
RestrictRealtime=yes
RestrictNamespaces=yes
RestrictSUIDSGID=yes
DevicePolicy=closed
MemoryDenyWriteExecute=yes
SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount
@raw-io @reboot @swap @obsolete @chown @privileged @resources @pkey @setuid
AppArmorProfile=ae-apache
[Install]
WantedBy=multi-user.target