Accepting request 926710 from home:jsegitz:branches:systemdhardening:network

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/926710 OBS-URL: https://build.opensuse.org/package/show/network/proftpd?expand=0&rev=82
2021-10-29 13:59:55 +00:00 · 2021-10-29 13:59:55 +00:00 · 7163f98894
commit 7163f98894
parent 4d4839c9ed
4 changed files with 45 additions and 0 deletions
--- a/harden_proftpd.service.patch
+++ b/harden_proftpd.service.patch
@ -0,0 +1,23 @@
+Index: proftpd-1.3.6e/contrib/dist/rpm/proftpd.service
+===================================================================
+--- proftpd-1.3.6e.orig/contrib/dist/rpm/proftpd.service
+++ proftpd-1.3.6e/contrib/dist/rpm/proftpd.service
+@@ -4,6 +4,18 @@ Wants=network-online.target
+ After=network-online.target nss-lookup.target local-fs.target remote-fs.target
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type = simple
+ Environment = PROFTPD_OPTIONS=
+ EnvironmentFile = -/etc/sysconfig/proftpd
--- a/proftpd.changes
+++ b/proftpd.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Oct 20 13:16:36 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_proftpd.service.patch
+  Modified:
+  * proftpd.service
+
 -------------------------------------------------------------------
 Thu Nov 19 14:16:47 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>

--- a/proftpd.service
+++ b/proftpd.service
@ -3,6 +3,18 @@ Description=ProFTPd FTP server
 After=systemd-user-sessions.service network.target nss-lookup.target local-fs.target remote-fs.target

 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 ExecStart=/usr/sbin/proftpd --nodaemon
 ExecReload=/bin/kill -HUP $MAINPID

--- a/proftpd.spec
+++ b/proftpd.spec
@ -47,6 +47,7 @@ Patch103:       %{name}-strip.patch
 Patch104:       %{name}-no_BuildDate.patch
 #RPMLINT-FIX-openSUSE: env-script-interpreter
 Patch105:       %{name}_env-script-interpreter.patch
+Patch106:	harden_proftpd.service.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #BuildRequires:  gpg-offline
 BuildRequires:  fdupes
@ -154,6 +155,7 @@ rm README.AIX
 %patch103
 %patch104
 %patch105
+%patch106 -p1

 %build
 rm contrib/mod_wrap.c