Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improvements and fixes for systemd unbound.service #76

Merged
merged 1 commit into from
Sep 19, 2019
Merged

Improvements and fixes for systemd unbound.service #76

merged 1 commit into from
Sep 19, 2019

Conversation

Maryse47
Copy link
Contributor

@Maryse47 Maryse47 commented Sep 17, 2019
edited
Loading

  1. Remove ProtectKernelTunables=true: This prevents various with socket options from working as shown below.
    unbound[] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.
  2. Add CAP_NET_ADMIN to available caps which is needed for ip-transparent: yes config option to work as shown below.
    unbound[] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted
  3. Make ReadWritePaths less permissive: UNBOUND_SYSCONF_DIR equals to sysconfdir which usually equals to /etc and UNBOUND_LOCALSTATE_DIR equals to localstatedir which usually equals to /var. Allowing write access for those dirs shouldn't be needed. The only dirs unbound should be allow to write to are /run ( for pidfile), @UNBOUND_RUN_DIR@ (for chroot) and @UNBOUND_CHROOT_DIR@ in case it differs from the previous one.
  4. Bind-mount /run/systemd/notify, UNBOUND_PIDFILE, /dev/log, /dev/urandom in order to use them inside chroot.
  5. Add few extra hardening options: RestrictNamespaces, LockPersonality and RestrictSUIDSGID should be safe to use.

@wcawijngaards

@Maryse47
Improvements and fixes for systemd unbound.service
ff8fd0b 
1. Remove `ProtectKernelTunables=true`: This prevents various with socket options from working as shown below.
`unbound[] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.`

2. Add `CAP_NET_ADMIN` to available caps which is needed for `ip-transparent: yes` config option to work as shown below.
`unbound[] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted`

3. Make `ReadWritePaths` less permissive: `UNBOUND_SYSCONF_DIR` equals to `sysconfdir` which usually equals to `/etc` and `UNBOUND_LOCALSTATE_DIR` equals to `localstatedir` which usually equals to `/var`. Allowing write access for those dirs shouldn't be needed. The only dirs unbound should be allow to write to are `/run` ( for pidfile), `@UNBOUND_RUN_DIR@` (for chroot) and `@UNBOUND_CHROOT_DIR@` in case it differs from the previous one.

4. Bind-mount `/run/systemd/notify`, `UNBOUND_PIDFILE`, `/dev/log`, `/dev/urandom` in order to use them inside chroot.

5. Add few extra hardening options: `RestrictNamespaces`, `LockPersonality` and `RestrictSUIDSGID` should be safe to use.
@wcawijngaards wcawijngaards merged commit 9a9d59e into NLnetLabs:master Sep 19, 2019
@wcawijngaards
Copy link
Member

Thanks for the improvements! Merged it.

wcawijngaards added a commit that referenced this pull request Sep 19, 2019
@wcawijngaards
- Merge pull request #76 from Maryse47: Improvements and fixes for
3cb1cde 
  systemd unbound.service.
(Changelog note for merge of #76).
jedisct1 added a commit to jedisct1/unbound that referenced this pull request Sep 21, 2019
@jedisct1
Merge remote-tracking branch 'nlnet/master'
35ac577 
* nlnet/master: (22 commits)
  Changelog entry for NLnetLabs#83 - Merge NLnetLabs#83 from Maryse47: contrib/unbound.service.in: do not fork   into the background.
  unbound.service.in: do not fork into the background
  Changelog entry for NLnetLabs#81. - Merge NLnetLabs#81 from Maryse47: Consistently use /dev/urandom instead   of /dev/random in scripts and docs.
  (Changelog entry for NLnetLabs#82). - Merge NLnetLabs#82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW   in unbound.service.
  Downgrade CAP_NET_ADMIN to CAP_NET_RAW in unbound.service
  Consistently use /dev/urandom instead of /dev/random in scripts and docs
  - Merge NLnetLabs#80 from stasic: Improve wording in man page. (Changelog entry for merge)
  Improve wording in man page
  - Fix wrong response ttl for prepended short CNAME ttls, this would   create a wrong zero_ttl response count with serve-expired enabled.
  - Fix for oss-fuzz build warning.
  - Fix fix for NLnetLabs#78 to also free service callback struct.
  - oss-fuzz badge on README.md.
  - Merge pull request NLnetLabs#76 from Maryse47: Improvements and fixes for   systemd unbound.service. (Changelog note for merge of NLnetLabs#76).
  - Fix NLnetLabs#78: Memory leak in outside_network.c.
  Improvements and fixes for systemd unbound.service
  - Use explicit bzero for wiping clear buffer of hash in cachedb,   reported by Eric Sesterhenn from X41 D-Sec.
  - Fix NLnetLabs#72: configure --with-syslog-facility=LOCAL0-7 with default   LOG_DAEMON (as before) can set the syslog facility that the server   uses to log messages.
  - Fix NLnetLabs#71: fix openssl error squelch commit compilation error.
  - squelch DNS over TLS errors 'ssl handshake failed crypto error'   on low verbosity, they show on verbosity 3 (query details), because   there is a high volume and the operator cannot do anything for the   remote failure.  Specifically filters the high volume errors.
  - updated Makefile dependencies.
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Maryse47 @wcawijngaards