Welcome! Log In Create A New Profile

Advanced

Hardening nginx.service with systemd

Dulmandakh Sukhbaatar
March 26, 2020 09:38AM
Hello,

I would like to propose to harden nginx.service with systems configurations, and this change uses PrivateDevices=yes, PrivateTmp=yes and ProtectSystem=full configs. And here are excerpts from man systemd.exec man page.

PrivateDevices=yes
sets up a new /dev mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others

PrivateTmp=yes
sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace

ProtectSystem=full
mounts the /usr and /boot directories read-only for processes invoked by this unit. If set to "full", the /etc directory is mounted read-only, too

I believe that these configs will harden nginx.service, thus protect OS from security bugs in nginx.

https://www.freedesktop.org/software/systemd/man/systemd.exec.html

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

Hardening nginx.service with systemd Attachments

Dulmandakh Sukhbaatar 29 March 26, 2020 09:38AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 77
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready