[PATCH rpcbind 0/4] Update systemd/rpcbind.service.in

[PATCH rpcbind 0/4] Update systemd/rpcbind.service.in

[Petr Vorel]

Hi,

NOTE I'm not systemd expert, others may understand more.

But trying to upstream various hardenings options which we have been
using since 2021. Adding EnvironmentFile I tested locally today.
systemd-tmpfiles-setup.service should be also safe.

Kind regards,
Petr

Josue Ortega (1):
  man/rpcbind: Add Files section to manpage

Petr Vorel (3):
  systemd/rpcbind.service.in: Add few default EnvironmentFile
  systemd/rpcbind.service.in: Add various hardenings options
  systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup

 man/rpcbind.8              |  8 ++++++++
 systemd/rpcbind.service.in | 16 +++++++++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

-- 
2.45.2

[PATCH rpcbind 1/4] systemd/rpcbind.service.in: Add few default EnvironmentFile

[Petr Vorel]

Add some defaults so that distros can drop patches to configure it.

* openSUSE and Fedora use /etc/sysconfig/rpcbind
https://build.opensuse.org/projects/network/packages/rpcbind/files/0001-systemd-unit-files.patch?expand=1
https://src.fedoraproject.org/rpms/rpcbind/blob/f41/f/rpcbind-0.2.3-systemd-envfile.patch

* Debian uses /etc/rpcbind.conf and /etc/default/rpcbind
https://salsa.debian.org/debian/rpcbind/-/blob/buster/debian/rpcbind.service?ref_type=heads

Add all these 3 in order:
* /etc/rpcbind.conf
* /etc/default/rpcbind
* /etc/sysconfig/rpcbind

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 systemd/rpcbind.service.in | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
index c892ca8..c5bbd5e 100644
--- a/systemd/rpcbind.service.in
+++ b/systemd/rpcbind.service.in
@@ -12,6 +12,9 @@ Wants=rpcbind.target
 [Service]
 Type=notify
 # distro can provide a drop-in adding EnvironmentFile=-/??? if needed.
+EnvironmentFile=-/etc/rpcbind.conf
+EnvironmentFile=-/etc/default/rpcbind
+EnvironmentFile=-/etc/sysconfig/rpcbind
 ExecStart=@_sbindir@/rpcbind $RPCBIND_OPTIONS @warmstarts_opt@ -f
 
 [Install]
-- 
2.45.2

[PATCH rpcbind 2/4] man/rpcbind: Add Files section to manpage

[Petr Vorel]

From: Josue Ortega <josue@debian.org>

Previous commit added 3 non-default files, mention them in man page.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 man/rpcbind.8 | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/man/rpcbind.8 b/man/rpcbind.8
index fbf0ace..cdcdcfd 100644
--- a/man/rpcbind.8
+++ b/man/rpcbind.8
@@ -150,6 +150,14 @@ starts up. The state file is created when
 .Nm
 terminates.
 .El
+.Sh FILES
+The
+.Nm
+utility tries to load configuration file in following order:
+.Bd -literal
+.Pa /etc/rpcbind.conf
+.Pa /etc/default/rpcbind
+.Pa /etc/sysconfig/rpcbind
 .Sh NOTES
 All RPC servers must be restarted if
 .Nm
-- 
2.45.2

[RFC][PATCH rpcbind 3/4] systemd/rpcbind.service.in: Add various hardenings options

[Petr Vorel]

We've been running rpcbind 1.2.6 with it in openSUSE since 2021.

NOTE: In systemd < 244 (released Nov 2019) some of these options are
unknown and will produce warnings, see

https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

Cc: Johannes Segitz <jsegitz@suse.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 systemd/rpcbind.service.in | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
index c5bbd5e..272e55a 100644
--- a/systemd/rpcbind.service.in
+++ b/systemd/rpcbind.service.in
@@ -10,6 +10,16 @@ Requires=rpcbind.socket
 Wants=rpcbind.target
 
 [Service]
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
 Type=notify
 # distro can provide a drop-in adding EnvironmentFile=-/??? if needed.
 EnvironmentFile=-/etc/rpcbind.conf
-- 
2.45.2

[RFC][PATCH rpcbind 4/4] systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup

[Petr Vorel]

Add Want/After systemd-tmpfiles-setup.service. This is taken from Fedora
rpcbind-0.2.4-5.fc25 patch [1] which tried to handle bug #1401561 [2]
where /var/run/rpcbind.lock cannot be created due missing /var/run/
directory. But the suggestion to add RequiresMountFor=... was
implemented in ee569be ("Fix boot dependency in systemd service file").

But even with RequiresMountsFor=/run/rpcbind in rpcbind.service and
/run/rpcbind.lock there is error on openSUSE Tumbleweed with rpcbind
1.2.6:

rpcbind.service: Failed at step NAMESPACE spawning /usr/sbin/rpcbind: Read-only file system

Adding systemd-tmpfiles-setup.service fixes it.

NOTE: Debian uses for this purpose remote-fs-pre.target (also works, but
systemd-tmpfiles-setup.service looks to me more specific).
openSUSE uses only After=sysinit.target as a result of #1117217 [3]
(also works).

[1] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-service.patch
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1401561
[3] https://bugzilla.suse.com/show_bug.cgi?id=1117217

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 systemd/rpcbind.service.in | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
index 272e55a..771b944 100644
--- a/systemd/rpcbind.service.in
+++ b/systemd/rpcbind.service.in
@@ -7,7 +7,8 @@ RequiresMountsFor=@statedir@
 # Make sure we use the IP addresses listed for
 # rpcbind.socket, no matter how this unit is started.
 Requires=rpcbind.socket
-Wants=rpcbind.target
+Wants=rpcbind.target systemd-tmpfiles-setup.service
+After=systemd-tmpfiles-setup.service
 
 [Service]
 ProtectSystem=full
-- 
2.45.2

Re: [RFC][PATCH rpcbind 4/4] systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup

[Petr Vorel]

Hi Steve,

> Add Want/After systemd-tmpfiles-setup.service. This is taken from Fedora
> rpcbind-0.2.4-5.fc25 patch [1] which tried to handle bug #1401561 [2]
> where /var/run/rpcbind.lock cannot be created due missing /var/run/
> directory. But the suggestion to add RequiresMountFor=... was
> implemented in ee569be ("Fix boot dependency in systemd service file").

> But even with RequiresMountsFor=/run/rpcbind in rpcbind.service and
> /run/rpcbind.lock there is error on openSUSE Tumbleweed with rpcbind
> 1.2.6:

> rpcbind.service: Failed at step NAMESPACE spawning /usr/sbin/rpcbind: Read-only file system

> Adding systemd-tmpfiles-setup.service fixes it.

> NOTE: Debian uses for this purpose remote-fs-pre.target (also works, but
> systemd-tmpfiles-setup.service looks to me more specific).
> openSUSE uses only After=sysinit.target as a result of #1117217 [3]
> (also works).

Reading RH #1117217 once more I wonder if old Fedora patch [4], which places
rpcbind.lock into /var/run/rpcbind/ would be a better solution:

configure.ac
-  --with-statedir=ARG     use ARG as state dir [default=/var/run/rpcbind]
+  --with-statedir=ARG     use ARG as state dir [default=/run/rpcbind]
...
-  with_statedir=/var/run/rpcbind
+  with_statedir=/run/rpcbind

src/rpcbind.c
-#define RPCBINDDLOCK "/var/run/rpcbind.lock"
+#define RPCBINDDLOCK RPCBIND_STATEDIR "/rpcbind.lock"

But I suppose other out-of-tree patch [5] is not a dependency for it, right?

Debian [6] and openSUSE [7] use more simpler version to move to /run. Maybe time
to upstream Fedora patch and distros will adopt it?

Kind regards,
Petr

> [1] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-service.patch
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1401561
> [3] https://bugzilla.suse.com/show_bug.cgi?id=1117217

[4] https://src.fedoraproject.org/rpms/rpcbind/blob/f41/f/rpcbind-0.2.4-runstatdir.patch
[5] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-rundir.patch
[6] https://salsa.debian.org/debian/rpcbind/-/blob/master/debian/patches/run-migration?ref_type=heads
[7] https://build.opensuse.org/projects/openSUSE:Factory/packages/rpcbind/files/0001-change-lockingdir-to-run.patch?expand=1

> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
>  systemd/rpcbind.service.in | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

> diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
> index 272e55a..771b944 100644
> --- a/systemd/rpcbind.service.in
> +++ b/systemd/rpcbind.service.in
> @@ -7,7 +7,8 @@ RequiresMountsFor=@statedir@
>  # Make sure we use the IP addresses listed for
>  # rpcbind.socket, no matter how this unit is started.
>  Requires=rpcbind.socket
> -Wants=rpcbind.target
> +Wants=rpcbind.target systemd-tmpfiles-setup.service
> +After=systemd-tmpfiles-setup.service

>  [Service]
>  ProtectSystem=full

Re: [RFC][PATCH rpcbind 4/4] systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup

[Steve Dickson]

Hey!

My apologies for taking so long to address these patches.

On 8/22/24 9:01 PM, Petr Vorel wrote:
> Hi Steve,
> 
>> Add Want/After systemd-tmpfiles-setup.service. This is taken from Fedora
>> rpcbind-0.2.4-5.fc25 patch [1] which tried to handle bug #1401561 [2]
>> where /var/run/rpcbind.lock cannot be created due missing /var/run/
>> directory. But the suggestion to add RequiresMountFor=... was
>> implemented in ee569be ("Fix boot dependency in systemd service file").
> 
>> But even with RequiresMountsFor=/run/rpcbind in rpcbind.service and
>> /run/rpcbind.lock there is error on openSUSE Tumbleweed with rpcbind
>> 1.2.6:
> 
>> rpcbind.service: Failed at step NAMESPACE spawning /usr/sbin/rpcbind: Read-only file system
> 
>> Adding systemd-tmpfiles-setup.service fixes it.
> 
>> NOTE: Debian uses for this purpose remote-fs-pre.target (also works, but
>> systemd-tmpfiles-setup.service looks to me more specific).
>> openSUSE uses only After=sysinit.target as a result of #1117217 [3]
>> (also works).
> 
> Reading RH #1117217 once more I wonder if old Fedora patch [4], which places
> rpcbind.lock into /var/run/rpcbind/ would be a better solution:
> 
> configure.ac
> -  --with-statedir=ARG     use ARG as state dir [default=/var/run/rpcbind]
> +  --with-statedir=ARG     use ARG as state dir [default=/run/rpcbind]
> ...
> -  with_statedir=/var/run/rpcbind
> +  with_statedir=/run/rpcbind
> 
> src/rpcbind.c
> -#define RPCBINDDLOCK "/var/run/rpcbind.lock"
> +#define RPCBINDDLOCK RPCBIND_STATEDIR "/rpcbind.lock"
> 
> But I suppose other out-of-tree patch [5] is not a dependency for it, right?
I don't like out-of-tree patch but sometimes they are necessary
since I didn't what to force other distros to adapt what
I made Fedora use.

> 
> Debian [6] and openSUSE [7] use more simpler version to move to /run. Maybe time
> to upstream Fedora patch and distros will adopt it?
It is time! :-) I'm all for distros to consolidate into one code
base... it is much easier to find bugs and support. IMHO.

Please send patches [6] and [7] in the correct patch form and
I will commit them and mostly like create another release.

Thank you.. for point these differences out!!

steved.

> 
> Kind regards,
> Petr
> 
>> [1] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-service.patch
>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1401561
>> [3] https://bugzilla.suse.com/show_bug.cgi?id=1117217
> 
> [4] https://src.fedoraproject.org/rpms/rpcbind/blob/f41/f/rpcbind-0.2.4-runstatdir.patch
> [5] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-rundir.patch
> [6] https://salsa.debian.org/debian/rpcbind/-/blob/master/debian/patches/run-migration?ref_type=heads
> [7] https://build.opensuse.org/projects/openSUSE:Factory/packages/rpcbind/files/0001-change-lockingdir-to-run.patch?expand=1
> 
>> Signed-off-by: Petr Vorel <pvorel@suse.cz>
>> ---
>>   systemd/rpcbind.service.in | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
>> diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
>> index 272e55a..771b944 100644
>> --- a/systemd/rpcbind.service.in
>> +++ b/systemd/rpcbind.service.in
>> @@ -7,7 +7,8 @@ RequiresMountsFor=@statedir@
>>   # Make sure we use the IP addresses listed for
>>   # rpcbind.socket, no matter how this unit is started.
>>   Requires=rpcbind.socket
>> -Wants=rpcbind.target
>> +Wants=rpcbind.target systemd-tmpfiles-setup.service
>> +After=systemd-tmpfiles-setup.service
> 
>>   [Service]
>>   ProtectSystem=full
> 

Re: [RFC][PATCH rpcbind 4/4] systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup

[Petr Vorel]

Hi Steve,

> Hey!

> My apologies for taking so long to address these patches.
No problem, understand you're busy.

> On 8/22/24 9:01 PM, Petr Vorel wrote:
> > Hi Steve,

> > > Add Want/After systemd-tmpfiles-setup.service. This is taken from Fedora
> > > rpcbind-0.2.4-5.fc25 patch [1] which tried to handle bug #1401561 [2]
> > > where /var/run/rpcbind.lock cannot be created due missing /var/run/
> > > directory. But the suggestion to add RequiresMountFor=... was
> > > implemented in ee569be ("Fix boot dependency in systemd service file").

> > > But even with RequiresMountsFor=/run/rpcbind in rpcbind.service and
> > > /run/rpcbind.lock there is error on openSUSE Tumbleweed with rpcbind
> > > 1.2.6:

> > > rpcbind.service: Failed at step NAMESPACE spawning /usr/sbin/rpcbind: Read-only file system

> > > Adding systemd-tmpfiles-setup.service fixes it.

> > > NOTE: Debian uses for this purpose remote-fs-pre.target (also works, but
> > > systemd-tmpfiles-setup.service looks to me more specific).
> > > openSUSE uses only After=sysinit.target as a result of #1117217 [3]
> > > (also works).

> > Reading RH #1117217 once more I wonder if old Fedora patch [4], which places
> > rpcbind.lock into /var/run/rpcbind/ would be a better solution:

> > configure.ac
> > -  --with-statedir=ARG     use ARG as state dir [default=/var/run/rpcbind]
> > +  --with-statedir=ARG     use ARG as state dir [default=/run/rpcbind]
> > ...
> > -  with_statedir=/var/run/rpcbind
> > +  with_statedir=/run/rpcbind

> > src/rpcbind.c
> > -#define RPCBINDDLOCK "/var/run/rpcbind.lock"
> > +#define RPCBINDDLOCK RPCBIND_STATEDIR "/rpcbind.lock"

> > But I suppose other out-of-tree patch [5] is not a dependency for it, right?
> I don't like out-of-tree patch but sometimes they are necessary
> since I didn't what to force other distros to adapt what
> I made Fedora use.

Sure, let's drop this. I was also thinking to add this as a configuration issue,
but I suppose most of the distro maintainers are perfectly ok with this
directory patch.

> > Debian [6] and openSUSE [7] use more simpler version to move to /run. Maybe time
> > to upstream Fedora patch and distros will adopt it?
> It is time! :-) I'm all for distros to consolidate into one code
> base... it is much easier to find bugs and support. IMHO.

> Please send patches [6] and [7] in the correct patch form and
> I will commit them and mostly like create another release.

I'll do, thanks!

Kind regards,
Petr

> Thank you.. for point these differences out!!

> steved.


> > Kind regards,
> > Petr

> > > [1] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-service.patch
> > > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1401561
> > > [3] https://bugzilla.suse.com/show_bug.cgi?id=1117217

> > [4] https://src.fedoraproject.org/rpms/rpcbind/blob/f41/f/rpcbind-0.2.4-runstatdir.patch
> > [5] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-rundir.patch
> > [6] https://salsa.debian.org/debian/rpcbind/-/blob/master/debian/patches/run-migration?ref_type=heads
> > [7] https://build.opensuse.org/projects/openSUSE:Factory/packages/rpcbind/files/0001-change-lockingdir-to-run.patch?expand=1

> > > Signed-off-by: Petr Vorel <pvorel@suse.cz>
> > > ---
> > >   systemd/rpcbind.service.in | 3 ++-
> > >   1 file changed, 2 insertions(+), 1 deletion(-)

> > > diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
> > > index 272e55a..771b944 100644
> > > --- a/systemd/rpcbind.service.in
> > > +++ b/systemd/rpcbind.service.in
> > > @@ -7,7 +7,8 @@ RequiresMountsFor=@statedir@
> > >   # Make sure we use the IP addresses listed for
> > >   # rpcbind.socket, no matter how this unit is started.
> > >   Requires=rpcbind.socket
> > > -Wants=rpcbind.target
> > > +Wants=rpcbind.target systemd-tmpfiles-setup.service
> > > +After=systemd-tmpfiles-setup.service

> > >   [Service]
> > >   ProtectSystem=full

Re: [PATCH rpcbind 0/4] Update systemd/rpcbind.service.in

[Steve Dickson]

On 8/22/24 8:23 PM, Petr Vorel wrote:
> Hi,
> 
> NOTE I'm not systemd expert, others may understand more.
> 
> But trying to upstream various hardenings options which we have been
> using since 2021. Adding EnvironmentFile I tested locally today.
> systemd-tmpfiles-setup.service should be also safe.
> 
> Kind regards,
> Petr
> 
> Josue Ortega (1):
>    man/rpcbind: Add Files section to manpage
> 
> Petr Vorel (3):
>    systemd/rpcbind.service.in: Add few default EnvironmentFile
>    systemd/rpcbind.service.in: Add various hardenings options
>    systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup
> 
>   man/rpcbind.8              |  8 ++++++++
>   systemd/rpcbind.service.in | 16 +++++++++++++++-
>   2 files changed, 23 insertions(+), 1 deletion(-)
> 
Committed... (tag: rpcbind-1_2_8-rc1)

steved.