Systemd/Hardening/ru: Difference between revisions

From NixOS Wiki
Unabomberlive (talk | contribs)
Created page with "== См. Также =="
Tags: Mobile edit Mobile web edit
Unabomberlive (talk | contribs)
Created page with "Опции служб Systemd по умолчанию довольно слабые по защищённости, поэтому часто бывает желательно рассмотреть способы усиления безопасности служб Systemd."
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Systemd/breadcrumb}}
{{Systemd/breadcrumb}}


<div lang="en" dir="ltr" class="mw-content-ltr">
Опции служб Systemd по умолчанию довольно слабые по защищённости, поэтому часто бывает желательно рассмотреть способы усиления безопасности служб Systemd.
Systemd's service options are quite lax by default, and so it is often desirable to look at ways to harden systemd services.
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
<div lang="en" dir="ltr" class="mw-content-ltr">
A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service.
A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service.
Line 22: Line 20:
While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for exemple to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.
While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for exemple to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.
</div>
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
Простой пример:
Simple example:
</div>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">


Line 43: Line 39:
Example with a <code>RootDirectory</code> specified:
Example with a <code>RootDirectory</code> specified:
</div>
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{ pkgs }:
{ pkgs }:
Line 52: Line 47:
       ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session";
       ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session";
       Type = "forking";
       Type = "forking";
</div>


       <div lang="en" dir="ltr" class="mw-content-ltr">
       <div lang="en" dir="ltr" class="mw-content-ltr">
Line 60: Line 54:
</div>
</div>


       <div lang="en" dir="ltr" class="mw-content-ltr">
       BindReadOnlyPaths = [
BindReadOnlyPaths = [
         "/nix/store"
         "/nix/store"
</div>


         <div lang="en" dir="ltr" class="mw-content-ltr">
         <div lang="en" dir="ltr" class="mw-content-ltr">

Latest revision as of 08:33, 20 August 2024

Опции служб Systemd по умолчанию довольно слабые по защищённости, поэтому часто бывает желательно рассмотреть способы усиления безопасности служб Systemd.

A good way to get started on a given service is to look at the output of the command systemd-analyze security myService. From there, you can look at the documentation for the options you see in the output, often in man systemd.exec or man systemd.resource-control, and set the appropriate options for your service.

Accessing the network with a different RootDirectory

To be able to access the network while having a RootDirectory specified, you need to give access to /etc/ssl, /etc/static/ssl and /etc/resolv.conf. The simplest way of doing this is by simply putting /etc in the BindReadOnlyPaths option.

A more granular way, would be to put these 3 paths into BindReadOnlyPaths, and wait for the creation of /etc/resolv.conf through a systemd.path unit.

Dropping a shell inside a systemd service

While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for exemple to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.

Простой пример:

{ pkgs, ... }:
{
  systemd.services.myService = {
    serviceConfig = {
      ExecStart = "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket new-session -s my-session -d";
      ExecStop = "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket kill-session -t my-session";
      Type = "forking";

      # ...
    };
  };
}

Example with a RootDirectory specified:

{ pkgs }:
{
  systemd.services.myService = {
    serviceConfig = {
      ExecStart = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket new-session -s my-session -d";
      ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session";
      Type = "forking";

      <div lang="en" dir="ltr" class="mw-content-ltr">
# Used as root directory
      RuntimeDirectory = "myService";
      RootDirectory = "/run/myService";
</div>

      BindReadOnlyPaths = [
        "/nix/store"

        <div lang="en" dir="ltr" class="mw-content-ltr">
# So tmux uses /bin/sh as shell
        "/bin"
      ];
</div>

      <div lang="en" dir="ltr" class="mw-content-ltr">
# This sets up a private /dev/tty
      # The tmux server would crash without this
      # since there would be nothing in /dev
      PrivateDevices = true;
    };
  };
}

To attach to the shell, simply execute tmux -S /path/to/tmux.socket attach.

Hardening examples

This list contains proposed hardening options that are not yet upstreamed. Please use with caution, and please notify the author of the change if something breaks:

См. Также