Systemd/Hardening/ru: Difference between revisions
Created page with "== См. Также ==" Tags: Mobile edit Mobile web edit |
Updating to match new version of source page |
||
| (4 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
{{Systemd/breadcrumb}} | {{Systemd/breadcrumb}} | ||
Опции служб Systemd по умолчанию довольно слабые по защищённости, поэтому часто бывает желательно рассмотреть способы усиления безопасности служб Systemd. | |||
Systemd | |||
<div lang="en" dir="ltr" class="mw-content-ltr"> | <div lang="en" dir="ltr" class="mw-content-ltr"> | ||
A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service. | A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service. | ||
| Line 20: | Line 18: | ||
</div> | </div> | ||
<div lang="en" dir="ltr" class="mw-content-ltr"> | <div lang="en" dir="ltr" class="mw-content-ltr"> | ||
While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for | While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for example to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service. | ||
</div> | </div> | ||
Простой пример: | |||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
| Line 43: | Line 39: | ||
Example with a <code>RootDirectory</code> specified: | Example with a <code>RootDirectory</code> specified: | ||
</div> | </div> | ||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
{ pkgs }: | { pkgs }: | ||
| Line 52: | Line 47: | ||
ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session"; | ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session"; | ||
Type = "forking"; | Type = "forking"; | ||
<div lang="en" dir="ltr" class="mw-content-ltr"> | <div lang="en" dir="ltr" class="mw-content-ltr"> | ||
| Line 60: | Line 54: | ||
</div> | </div> | ||
BindReadOnlyPaths = [ | |||
BindReadOnlyPaths = [ | |||
"/nix/store" | "/nix/store" | ||
<div lang="en" dir="ltr" class="mw-content-ltr"> | <div lang="en" dir="ltr" class="mw-content-ltr"> | ||
Latest revision as of 21:26, 7 October 2025
Опции служб Systemd по умолчанию довольно слабые по защищённости, поэтому часто бывает желательно рассмотреть способы усиления безопасности служб Systemd.
A good way to get started on a given service is to look at the output of the command systemd-analyze security myService. From there, you can look at the documentation for the options you see in the output, often in man systemd.exec or man systemd.resource-control, and set the appropriate options for your service.
Accessing the network with a different RootDirectory
To be able to access the network while having a RootDirectory specified, you need to give access to /etc/ssl, /etc/static/ssl and /etc/resolv.conf. The simplest way of doing this is by simply putting /etc in the BindReadOnlyPaths option.
A more granular way, would be to put these 3 paths into BindReadOnlyPaths, and wait for the creation of /etc/resolv.conf through a systemd.path unit.
Dropping a shell inside a systemd service
While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for example to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.
Простой пример:
{ pkgs, ... }:
{
systemd.services.myService = {
serviceConfig = {
ExecStart = "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket new-session -s my-session -d";
ExecStop = "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket kill-session -t my-session";
Type = "forking";
# ...
};
};
}
Example with a RootDirectory specified:
{ pkgs }:
{
systemd.services.myService = {
serviceConfig = {
ExecStart = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket new-session -s my-session -d";
ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session";
Type = "forking";
<div lang="en" dir="ltr" class="mw-content-ltr">
# Used as root directory
RuntimeDirectory = "myService";
RootDirectory = "/run/myService";
</div>
BindReadOnlyPaths = [
"/nix/store"
<div lang="en" dir="ltr" class="mw-content-ltr">
# So tmux uses /bin/sh as shell
"/bin"
];
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
# This sets up a private /dev/tty
# The tmux server would crash without this
# since there would be nothing in /dev
PrivateDevices = true;
};
};
}
To attach to the shell, simply execute tmux -S /path/to/tmux.socket attach.
Hardening examples
This list contains proposed hardening options that are not yet upstreamed. Please use with caution, and please notify the author of the change if something breaks:
- Chrony: https://github.com/NixOS/nixpkgs/pull/104944/files
- Isso: https://github.com/NixOS/nixpkgs/pull/140840/files
- Mautrix-based bridge: https://github.com/mautrix/docs/pull/18/files
- Postfix: https://github.com/NixOS/nixpkgs/pull/93305/files
- TheLounge: https://github.com/thelounge/thelounge-deb/pull/78
См. Также
- SHH, systemd hardening helper: systemd hardening made easy with SHH