Systemd/Hardening/ru: Difference between revisions
Created page with "<syntaxhighlight lang="nix"> { pkgs }: { systemd.services.myService = { serviceConfig = { ExecStart = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket new-session -s my-session -d"; ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session"; Type = "forking";" |
Created page with "Опции служб Systemd по умолчанию довольно слабые по защищённости, поэтому часто бывает желательно рассмотреть способы усиления безопасности служб Systemd." |
||
Line 1: | Line 1: | ||
{{Systemd/breadcrumb}} | {{Systemd/breadcrumb}} | ||
Опции служб Systemd по умолчанию довольно слабые по защищённости, поэтому часто бывает желательно рассмотреть способы усиления безопасности служб Systemd. | |||
Systemd | |||
<div lang="en" dir="ltr" class="mw-content-ltr"> | <div lang="en" dir="ltr" class="mw-content-ltr"> | ||
A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service. | A good way to get started on a given service is to look at the output of the command <code>systemd-analyze security myService</code>. From there, you can look at the documentation for the options you see in the output, often in <code>man systemd.exec</code> or <code>man systemd.resource-control</code>, and set the appropriate options for your service. |
Latest revision as of 08:33, 20 August 2024
Опции служб Systemd по умолчанию довольно слабые по защищённости, поэтому часто бывает желательно рассмотреть способы усиления безопасности служб Systemd.
A good way to get started on a given service is to look at the output of the command systemd-analyze security myService
. From there, you can look at the documentation for the options you see in the output, often in man systemd.exec
or man systemd.resource-control
, and set the appropriate options for your service.
Accessing the network with a different RootDirectory
To be able to access the network while having a RootDirectory specified, you need to give access to /etc/ssl
, /etc/static/ssl
and /etc/resolv.conf
. The simplest way of doing this is by simply putting /etc
in the BindReadOnlyPaths
option.
A more granular way, would be to put these 3 paths into BindReadOnlyPaths
, and wait for the creation of /etc/resolv.conf
through a systemd.path
unit.
Dropping a shell inside a systemd service
While hardening a service, it often happens that you want a shell inside a hardened systemd unit, for exemple to check access to files, or check the network connectivity. One way to do this is to use tmux to create a session inside the service, and attaching to it outside of the service.
Простой пример:
{ pkgs, ... }:
{
systemd.services.myService = {
serviceConfig = {
ExecStart = "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket new-session -s my-session -d";
ExecStop = "${pkgs.tmux}/bin/tmux -S /tmp/tmux.socket kill-session -t my-session";
Type = "forking";
# ...
};
};
}
Example with a RootDirectory
specified:
{ pkgs }:
{
systemd.services.myService = {
serviceConfig = {
ExecStart = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket new-session -s my-session -d";
ExecStop = "${pkgs.tmux}/bin/tmux -S /run/myService/tmux.socket kill-session -t my-session";
Type = "forking";
<div lang="en" dir="ltr" class="mw-content-ltr">
# Used as root directory
RuntimeDirectory = "myService";
RootDirectory = "/run/myService";
</div>
BindReadOnlyPaths = [
"/nix/store"
<div lang="en" dir="ltr" class="mw-content-ltr">
# So tmux uses /bin/sh as shell
"/bin"
];
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
# This sets up a private /dev/tty
# The tmux server would crash without this
# since there would be nothing in /dev
PrivateDevices = true;
};
};
}
To attach to the shell, simply execute tmux -S /path/to/tmux.socket attach
.
Hardening examples
This list contains proposed hardening options that are not yet upstreamed. Please use with caution, and please notify the author of the change if something breaks:
- Chrony: https://github.com/NixOS/nixpkgs/pull/104944/files
- Isso: https://github.com/NixOS/nixpkgs/pull/140840/files
- Mautrix-based bridge: https://github.com/mautrix/docs/pull/18/files
- Postfix: https://github.com/NixOS/nixpkgs/pull/93305/files
- TheLounge: https://github.com/thelounge/thelounge-deb/pull/78
См. Также
- SHH, systemd hardening helper: systemd hardening made easy with SHH