FuzzyBot: Updating to match new version of source page

2025-10-07T21:26:13Z

Updating to match new version of source page

← Older revision		Revision as of 21:26, 7 October 2025
Line 7:		Line 7:
	A more granular way, would be to put these 3 paths into <code>BindReadOnlyPaths</code>, and wait for the creation of <code>/etc/resolv.conf</code> through a <code>systemd.path</code> unit.		A more granular way, would be to put these 3 paths into <code>BindReadOnlyPaths</code>, and wait for the creation of <code>/etc/resolv.conf</code> through a <code>systemd.path</code> unit.
	== Dropping a shell inside a systemd service ==		== Dropping a shell inside a systemd service ==
	While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for ~~exemple~~ to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.		While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for example to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.
	Simple example:		Simple example:
	<syntaxhighlight lang="nix">		<syntaxhighlight lang="nix">

FuzzyBot: Updating to match new version of source page

2024-08-08T08:36:58Z

Updating to match new version of source page

New page

{{Systemd/breadcrumb}}

Systemd's service options are quite lax by default, and so it is often desirable to look at ways to harden systemd services.
A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service.
== Accessing the network with a different RootDirectory ==
To be able to access the network while having a RootDirectory specified, you need to give access to <code>/etc/ssl</code>, <code>/etc/static/ssl</code> and <code>/etc/resolv.conf</code>. The simplest way of doing this is by simply putting <code>/etc</code> in the <code>BindReadOnlyPaths</code> option.
A more granular way, would be to put these 3 paths into <code>BindReadOnlyPaths</code>, and wait for the creation of <code>/etc/resolv.conf</code> through a <code>systemd.path</code> unit.
== Dropping a shell inside a systemd service ==
While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for exemple to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.
Simple example:
<syntaxhighlight lang="nix">

{ pkgs, ... }:
{
systemd.services.myService = {
serviceConfig = {
ExecStart = "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket new-session -s my-session -d";
ExecStop = "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket kill-session -t my-session";
Type = "forking";

# ...
};
};
}
</syntaxhighlight>
Example with a <code>RootDirectory</code> specified:
<syntaxhighlight lang="nix">
{ pkgs }:
{
systemd.services.myService = {
serviceConfig = {
ExecStart = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket new-session -s my-session -d";
ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session";
Type = "forking";

# Used as root directory
RuntimeDirectory = "myService";
RootDirectory = "/run/myService";

BindReadOnlyPaths = [
"/nix/store"

# So tmux uses /bin/sh as shell
"/bin"
];

# This sets up a private /dev/tty
# The tmux server would crash without this
# since there would be nothing in /dev
PrivateDevices = true;
};
};
}
</syntaxhighlight>
To attach to the shell, simply execute <code>tmux -S /path/to/tmux.socket attach</code>.
== Hardening examples ==
This list contains proposed hardening options that are not yet upstreamed. Please use with caution, and please notify the author of the change if something breaks:
* Chrony: https://github.com/NixOS/nixpkgs/pull/104944/files
* Isso: https://github.com/NixOS/nixpkgs/pull/140840/files
* Mautrix-based bridge: https://github.com/mautrix/docs/pull/18/files
* Postfix: https://github.com/NixOS/nixpkgs/pull/93305/files
* TheLounge: https://github.com/thelounge/thelounge-deb/pull/78
== Related links ==
* SHH, systemd hardening helper: [https://www.synacktiv.com/en/publications/systemd-hardening-made-easy-with-shh systemd hardening made easy with SHH]

[[Category:NixOS]]
[[Category:Cookbook]]
[[Category:Security]]
[[Category:systemd]]

Systemd/Hardening/en - Revision history

FuzzyBot: Updating to match new version of source page

FuzzyBot: Updating to match new version of source page