OpenDKIM icon indicating copy to clipboard operation
OpenDKIM copied to clipboard

Published 20 hours ago verified publisher icon trusteddomainproject

opendkim.service: harden systemd service

Open Tachi107 opened this issue 3 years ago • 3 comments
trafficstars

The current opendkim.service file is not hardened, and systemd-analyze security opendkim.service reports an "UNSAFE" exposure level of 9.6.

With the help of that tool I've applied some more security hardenings to the unit file, and the exposure level dropped to an amazing 1.1!

Some of the most notable changes include:

  • Setting ProtectSystem= to strict, so that the entire file system is mounted read-only; users can allow-list writable paths by overriding the config with systemctl edit opendkim.service, but it shouldn't be needed. OpenDKIM doesn't modify files at all, and only creates a unix socket at startup, usually in /run/opendkim/opendkim.socket or /var/spool/postfix/opendkim/opendkim.socket. Both paths are allowed by default.

  • Denying execution of system binaries with NoExecPaths=/, and only allowing the opendkim binary itself with ExecPaths=/usr/sbin/opendkim, so that if an attacker is able to gain access to OpenDKIM they won't be able to do much, if anything, as spawing shells, listing files, etc won't be allowed, making RCE vulnerabilities much harder to exploit.

  • Making home directories inaccessible with ProtectHome=true

  • Hiding all the users of the system, with PrivateUsers=true

  • Restricting the kind of permitted system calls with SystemCallFilter=@system-service and SystemCallFilter=~ @privileged @resources

Ported from https://salsa.debian.org/debian/opendkim/-/merge_requests/3

Related to #146

Tachi107 avatar Jun 20 '22 09:06 Tachi107

@mdomsch how does this look to you?

Tachi107 avatar Jun 20 '22 09:06 Tachi107

I missed this while I was in process of moving this summer. The ExecPaths may need to also include /usr/sbin/sendmail and /bin/sh as OpenDKIM can popen() sendmail to send success/failure reports to the standardized reporting addresses. I've been working with the Fedora SELinux team to add a SELinux policy which allows opendkim to invoke sendmail. Any Systemd restrictive wrappers needs to allow this as well.

mdomsch avatar Oct 19 '22 14:10 mdomsch

I should note, which mail submission tool to use is configurable in opendkim.conf. By default it's sendmail. The SELinux policy will allow sendmail, exim, postfix, and courier.

mdomsch avatar Oct 19 '22 18:10 mdomsch