Re: [chrony-users] systemd service hardening |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] systemd service hardening
- From: Kenny MacDermid <kenny@xxxxxxxxxxxx>
- Date: Tue, 31 Aug 2021 11:12:52 -0300
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=macdermid.ca; s=key1; t=1630419176; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=4WSEXFY+tUHJumU6rlXlpHloZCuIdTyKvD6Kl6sUAao=; b=GTievkhl25zuKUmxr2LNvr6w7PUsdroB1j8mghwWReYlmlO5/sqNmeTNAogcfHEnuIU5Aq 4fKDE5iOTWlse7dTrrPVos2YRSDejo/lItCFA067E7QSvoudnuugTSQdYXuO7iMY7NbIWn EVymbcPGrR3zUrQrbTUwDRwyStZGBFo=
On Tue, Aug 31, 2021 at 09:55:02AM +0200, Miroslav Lichvar wrote:
> On Mon, Aug 30, 2021 at 01:30:51PM -0300, Kenny MacDermid wrote:
> > Hello,
> >
> > Has there been any discussion around adding the systemd service
> > hardening changes from the PR to NixOS available at:
> >
> > https://github.com/NixOS/nixpkgs/pull/104944
>
> I don't remember anyone submitting this change. I think it needs more
> work to be accepted as the service example.
Thanks Miroslav. I'm certainly not a systemd sandboxing expert myself. I
was looking at how to make `systemd-analyze security` happier and came
across that issue. I saw suggestions that it be passed upstream so
thought I'd pass it along.
I've included the config directly in my NixOS config, and it appears to
be working without issue in my particular install. Looking at the FAQ I
see some other options that I should probably check as well. If you (or
anyone on the list) would like to make a more secure NixOS module I'm
sure the patches would be appreciated.
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.