Hardening nginx.service with systemd
Dulmandakh Sukhbaatar
dulmandakh at gmail.com
Thu Mar 26 13:37:34 UTC 2020
Hello,
I would like to propose to harden nginx.service with systems configurations, and this change uses PrivateDevices=yes, PrivateTmp=yes and ProtectSystem=full configs. And here are excerpts from man systemd.exec man page.
PrivateDevices=yes
sets up a new /dev mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others
PrivateTmp=yes
sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace
ProtectSystem=full
mounts the /usr and /boot directories read-only for processes invoked by this unit. If set to "full", the /etc directory is mounted read-only, too
I believe that these configs will harden nginx.service, thus protect OS from security bugs in nginx.
https://www.freedesktop.org/software/systemd/man/systemd.exec.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx.service.patch
Type: application/octet-stream
Size: 626 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20200326/1d2faf1e/attachment.obj>
More information about the nginx-devel
mailing list