Hardening nginx.service with systemd
thresh at nginx.com
Tue Mar 31 10:52:52 UTC 2020
Thank you for your contribution!
26.03.2020 16:37, Dulmandakh Sukhbaatar wrote:
> I would like to propose to harden nginx.service with systems configurations, and this change uses PrivateDevices=yes, PrivateTmp=yes and ProtectSystem=full configs. And here are excerpts from man systemd.exec man page.
> sets up a new /dev mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others
On my Debian system:
$ id nginx
uid=112(nginx) gid=121(nginx) groups=121(nginx)
$ /bin/ls -la /dev/mem /dev/sda /dev/port
crw-r----- 1 root kmem 1, 1 Mar 30 20:26 /dev/mem
crw-r----- 1 root kmem 1, 4 Mar 30 20:26 /dev/port
brw-rw---- 1 root disk 8, 0 Mar 30 20:26 /dev/sda
As nginx workers run as unprivileged user, that hardening is already
applied as a part of a standard operating system privilege separation.
By default nginx master process indeed starts as a root user, but does
not do a lot of things which might have a potential security impact.
> sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace
We already had that enabled some time ago, and it caused non-obvious
issues with configurations that use /tmp to store temporary files for
> mounts the /usr and /boot directories read-only for processes invoked by this unit. If set to "full", the /etc directory is mounted read-only, too
It's effectively read-only as nginx worker processes run under
non-privileged users even without that systemd flag, same as for
> I believe that these configs will harden nginx.service, thus protect OS from security bugs in nginx.
All in all, I believe that kind of configuration hardening might make
sense in the specific scenarios, but not something we can enforce on all
our users by default.
More information about the nginx-devel