Closed Choraden closed 3 months ago
Forwarder does not need that many permissions, we can restrict it to minimum.
CAP_NET_BIND_SERVICE can be used to allow this user to bind to a port < 1024 if desired.
The work is based on wireproxy's systemd configuration[1]. Also I found systemd service hardening doc[2] helpful.
DynamicUser/Strict system protection didn't work as package installs forwarder binary at /usr/bin.
[1] https://github.com/pufferffish/wireproxy/pull/103. [2] https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
Forwarder does not need that many permissions, we can restrict it to minimum.
CAP_NET_BIND_SERVICE can be used to allow this user to bind to a port < 1024 if desired.
The work is based on wireproxy's systemd configuration[1]. Also I found systemd service hardening doc[2] helpful.
DynamicUser/Strict system protection didn't work as package installs forwarder binary at /usr/bin.
[1] https://github.com/pufferffish/wireproxy/pull/103. [2] https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04