From faa0f6330a7a51966f457bcf959b4eeb13bfbd91 Mon Sep 17 00:00:00 2001 From: Arran Cudbard-Bell Date: Sat, 7 Sep 2019 13:20:08 -0500 Subject: [PATCH] Port unit changes from v3.0.x --- debian/freeradius.service | 38 ++++++++++++++++++++++++++++++++++++-- redhat/radiusd.service | 8 +++++--- 2 files changed, 41 insertions(+), 5 deletions(-) diff --git a/debian/freeradius.service b/debian/freeradius.service index 26e49d39f390..c66af0bf7830 100644 --- a/debian/freeradius.service +++ b/debian/freeradius.service @@ -7,7 +7,6 @@ Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ htt Type=notify WatchdogSec=60 NotifyAccess=all -PIDFile=/run/freeradius/freeradius.pid EnvironmentFile=-/etc/default/freeradius # FreeRADIUS can do static evaluation of policy language rules based @@ -23,12 +22,47 @@ Environment=HOSTNAME=%H # a leak somewhere. MemoryLimit=2G +# Ensure the daemon can still write its pidfile after it drops +# privileges. Combination of options that work on a variety of +# systems. Test very carefully if you alter these lines. RuntimeDirectory=freeradius RuntimeDirectoryMode=0775 +# This does not work on Debian Jessie: +Group=freerad +# This does not work on Ubuntu Bionic: +ExecStartPre=/bin/chown freerad:freerad /var/run/freeradius + ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout -ExecStart=/usr/sbin/freeradius $FREERADIUS_OPTIONS +ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS Restart=on-failure RestartSec=5 +# Don't elevate privileges after starting +NoNewPrivileges=true + +# Allow binding to secure ports, broadcast addresses, and raw interfaces. +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE + +# Private /tmp that isn't shared by other processes +PrivateTmp=true + +# cgroups are readable only by radiusd, and child processes +ProtectControlGroups=true + +# don't load new kernel modules +ProtectKernelModules=true + +# don't tune kernel parameters +ProtectKernelTunables=true + +# Only allow native system calls +SystemCallArchitectures=native + +# We shouldn't be writing to the configuration directory +ReadOnlyDirectories=/etc/freeradius/ + +# We can read and write to the log directory. +ReadWriteDirectories=/var/log/freeradius/ + [Install] WantedBy=multi-user.target diff --git a/redhat/radiusd.service b/redhat/radiusd.service index 5f0931b8ba7c..2eff7281fb4e 100644 --- a/redhat/radiusd.service +++ b/redhat/radiusd.service @@ -7,7 +7,6 @@ Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ htt Type=notify WatchdogSec=60 NotifyAccess=all -PIDFile=/var/run/radiusd/radiusd.pid EnvironmentFile=-/etc/sysconfig/radiusd # FreeRADIUS can do static evaluation of policy language rules based @@ -27,7 +26,7 @@ RuntimeDirectory=radiusd RuntimeDirectoryMode=0775 ExecStartPre=/usr/sbin/radiusd $FREERADIUS_OPTIONS -Cx -lstdout ExecStartPre=/usr/bin/chown radiusd:radiusd /var/run/radiusd -ExecStart=/usr/sbin/radiusd $FREERADIUS_OPTIONS +ExecStart=/usr/sbin/radiusd -f $FREERADIUS_OPTIONS Restart=on-failure RestartSec=5 @@ -35,7 +34,10 @@ RestartSec=5 NoNewPrivileges=true # Allow binding to secure ports, broadcast addresses, and raw interfaces. -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW +# +# This list of capabilities may not be exhaustive, and needs +# further testing. Please uncomment, test, and report any issues. +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE # Private /tmp that isn't shared by other processes PrivateTmp=true