From 7163f988942926575f5de98b75e40e331cddaa196dff8db49b9371a222957238 Mon Sep 17 00:00:00 2001 From: Lars Vogdt Date: Fri, 29 Oct 2021 13:59:55 +0000 Subject: [PATCH] Accepting request 926710 from home:jsegitz:branches:systemdhardening:network Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/926710 OBS-URL: https://build.opensuse.org/package/show/network/proftpd?expand=0&rev=82 --- harden_proftpd.service.patch | 23 +++++++++++++++++++++++ proftpd.changes | 8 ++++++++ proftpd.service | 12 ++++++++++++ proftpd.spec | 2 ++ 4 files changed, 45 insertions(+) create mode 100644 harden_proftpd.service.patch diff --git a/harden_proftpd.service.patch b/harden_proftpd.service.patch new file mode 100644 index 0000000..0c4e86d --- /dev/null +++ b/harden_proftpd.service.patch @@ -0,0 +1,23 @@ +Index: proftpd-1.3.6e/contrib/dist/rpm/proftpd.service +=================================================================== +--- proftpd-1.3.6e.orig/contrib/dist/rpm/proftpd.service ++++ proftpd-1.3.6e/contrib/dist/rpm/proftpd.service +@@ -4,6 +4,18 @@ Wants=network-online.target + After=network-online.target nss-lookup.target local-fs.target remote-fs.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type = simple + Environment = PROFTPD_OPTIONS= + EnvironmentFile = -/etc/sysconfig/proftpd diff --git a/proftpd.changes b/proftpd.changes index da0d80a..dd5cfa6 100644 --- a/proftpd.changes +++ b/proftpd.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Oct 20 13:16:36 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_proftpd.service.patch + Modified: + * proftpd.service + ------------------------------------------------------------------- Thu Nov 19 14:16:47 UTC 2020 - Dominique Leuenberger diff --git a/proftpd.service b/proftpd.service index a6bcc05..64bf1ac 100644 --- a/proftpd.service +++ b/proftpd.service @@ -3,6 +3,18 @@ Description=ProFTPd FTP server After=systemd-user-sessions.service network.target nss-lookup.target local-fs.target remote-fs.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions ExecStart=/usr/sbin/proftpd --nodaemon ExecReload=/bin/kill -HUP $MAINPID diff --git a/proftpd.spec b/proftpd.spec index 30cc62c..5d502d2 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -47,6 +47,7 @@ Patch103: %{name}-strip.patch Patch104: %{name}-no_BuildDate.patch #RPMLINT-FIX-openSUSE: env-script-interpreter Patch105: %{name}_env-script-interpreter.patch +Patch106: harden_proftpd.service.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #BuildRequires: gpg-offline BuildRequires: fdupes @@ -154,6 +155,7 @@ rm README.AIX %patch103 %patch104 %patch105 +%patch106 -p1 %build rm contrib/mod_wrap.c