;;
esac
-# ** exim non-root
+# ** exim non-root related setting
case $HOSTNAME in
bk|je|li)
dirs+=($d)
fi
done
- u /etc/systemd/system/exim4.service.d/nonroot.conf <<EOF
+ {
+ cat <<EOF
[Service]
# see 56.2 Root privilege in exim spec
-$(if $run_as_nonroot; then e AmbientCapabilities=CAP_NET_BIND_SERVICE; fi)
-
# https://www.redhat.com/sysadmin/mastering-systemd
# things that seem good and reasonabl.e
PrivateTmp=yes
# socket bind() to port 25 for address (any IPv6) failed: Permission denied
# but we also have to set the file capabilities to avoid the error.
#NoNewPrivileges=yes
-ProtectSystem=yes
+ProtectSystem=full
# when we get newer systemd
#ProtectDevices=yes
+
+# based on systemd-analyze security exim4. todo: There are more options I haven't investigated.
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+EOF
+
+ if $run_as_nonroot; then
+ cat <<'EOF'
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+# This is just duplicate of the setguid that it already has, but no harm to be safe and it gives green checkboxes in
+# systemd-analyze security exim4.
+User=Debian-exim
+Group=Debian-exim
+ExecStartPre=
+ExecStartPre=+/usr/sbin/update-exim4.conf $UPEX4OPTS
EOF
+ fi
+ } | u /etc/systemd/system/exim4.service.d/nonroot.conf
+
if $run_as_nonroot; then
+
+
u /etc/exim4/conf.d/main/000_local-noroot <<'EOF'
# see 56.2 Root privilege in exim spec
deliver_drop_privilege = true
After=local-fs.target
[Service]
-ExecStartPre=/usr/local/bin/exim-nn-iptables
+ExecStartPre=+/usr/local/bin/exim-nn-iptables
EOF
if ! mountpoint -q $sdir; then
stopifactive exim4 exim4in
iankelling.org / git / distro-setup / commitdiff