Ubuntu
nginx package

insufficient security settings for nginx systemd services

Bug #2136126 reported by Hadmut Danisch
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

Same problem I just reported for postfix Bug #2136123 :

Hi,

on a 24.04 server I observed, that

/usr/lib/systemd/system/nginx.service

doesn't use any of the security features and options systemd provides.

In contrast, dovecot package's does it better:

/usr/lib/systemd/system/dovecot.service

PrivateTmp=true
NonBlocking=yes
ProtectSystem=full
ProtectHome=no
PrivateDevices=true
LimitNOFILE=65535

which is not even complete, there's more in man systemd.exec , e.g. PrivateIPC (especially everything that starts with Protect* and Private*

A service that is typically exposed open to the world and permanently under heavy attack as a webserver, the security options systemd offers should really be used, for good reasons.

Same applies to many other packages.

Maybe it's a good idea to require every *.service unit file in debian/ubuntu packages to contain settings (even if they just set =no), and to make to package building tools spit out warnings if not.

I'd recommend to take more care about this for 26.04 LTS.

regards

Revision history for this message
Hadmut Danisch (hadmut) wrote :

Basically, go through the whole SANDBOXING chapter in man systemd.exec.

Seth Arnold (seth-arnold)
Changed in nginx (Ubuntu):
status: New → Confirmed
information type: Private Security → Public Security
Changed in nginx (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Hadmut, good to hear from you again.

We have evaluating service's systemd isolation settings as an item in the MIR review checklist https://documentation.ubuntu.com/project/MIR/mir-reviewers-template/ in order to address moving packages into main with better defaults. Handling existing packages in main is harder, as it is easier to introduce regressions that influence many users. I believe we shouldn't make these changes during the development lifecycle of the forthcoming 26.04 LTS release -- they should have been tested in at least one interim release first. I believe the opening of the 26.10 cycle would be the best time to introduce these changes so that we can trial them with a smaller, more enthusiast audience, before rolling them out to more users in 28.04 LTS.

Thanks

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.