Bug#771625: openssh-server: Please add ProtectSystem=yes to service file
Package: openssh-server
Version: 1:6.7p1-3
Severity: wishlist
Hello,
If you add the option ProtectSystem=yes to the service file, then the
daemon will not have the ability to write to /usr.
There is no reason why it needs to write there, so enabling this
option should not cause any problems.
This option is one of the systemd security features for systemd
service files that was detailed in a talk[0] given by Lennart which
details various security features you can enable in your package's
service files.
micah
[0] http://ftp.nluug.nl/video/nluug/2014-11-20_nj14/zaal-2/5_Lennart_Poettering_-_Systemd.webm
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.54
ii dpkg 1.17.22
ii init-system-helpers 1.22
ii libc6 2.19-13
ii libcomerr2 1.42.12-1
ii libgssapi-krb5-2 1.12.1+dfsg-15
ii libkrb5-3 1.12.1+dfsg-15
ii libpam-modules 1.1.8-3.1
ii libpam-runtime 1.1.8-3.1
ii libpam0g 1.1.8-3.1
ii libselinux1 2.3-2
ii libssl1.0.0 1.0.1j-1
ii libwrap0 7.6.q-25
ii lsb-base 4.1+Debian13+nmu1
ii openssh-client 1:6.7p1-3
ii openssh-sftp-server 1:6.7p1-3
ii procps 2:3.3.9-8
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages openssh-server recommends:
ii ncurses-term 5.9+20140913-1
ii xauth 1:1.0.9-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
ii monkeysphere 0.37-2
pn rssh <none>
ii ssh-askpass 1:1.2.4.1-9
ii ssh-askpass-gnome [ssh-askpass] 1:6.7p1-3
pn ufw <none>
-- debconf information excluded
Reply to: