Re: Systemd service hardening project

To: debian-devel@lists.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Systemd service hardening project
From: Marco d'Itri <md@Linux.IT>
Date: Sat, 29 Nov 2025 15:39:17 +0100
Message-id: <[🔎] aSsFlWVGr1jlWTmS@bongo.bofh.it>
In-reply-to: <[🔎] 20251129095354.Horde.5I4gVXa8khuTPUvgtRyqeTr@nextcloud1.intra.algiz.nu>
References: <[🔎] 20251129095354.Horde.5I4gVXa8khuTPUvgtRyqeTr@nextcloud1.intra.algiz.nu>

On Nov 29, Jarl Gullberg <jarl.gullberg@visar-systems.com> wrote:

The short summary is that we're looking at improving the usage ofsystemd's hardening options for services, sockets, timers, and the likewithin the Debian ecosystem. Right now, usage levels are pretty variedand there aren't any hardening guidelines in place for Debian packagesas it relates to systemd service hardening.

This looks like a great idea, but I think it would be hard to executewithout real-world testing of each package.E.g. as it has been noted in this thread, daemons which send emailscannot use NoNewPrivileges.

A related topic is to systematically enable StateDirectory,LogsDirectory, etc... everywhere they can be used.


--
ciao,
Marco

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Systemd service hardening project
  - From: Jarl Gullberg <jarl.gullberg@visar-systems.com>

References:
- Systemd service hardening project
  - From: Jarl Gullberg <jarl.gullberg@visar-systems.com>

Prev by Date: Re: Systemd service hardening project
Next by Date: Intention to drop multilib support from architecture cross bootstrap (rebootstrap)
Previous by thread: Re: Systemd service hardening project
Next by thread: Re: Systemd service hardening project
Index(es):
- Date
- Thread