Security: Difference between revisions
imported>Nix start writing security story for Nix |
imported>Nix add encryption, LUKS |
||
| Line 25: | Line 25: | ||
These are features which are easily supported using Nix(OS). | These are features which are easily supported using Nix(OS). | ||
==== Flatpak support ==== | ==== Encryption ==== | ||
These are features which can protect data on a system. | |||
===== Filesystem encryption ===== | |||
NixOS has [https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup LUKS] partition-level disk encryption support. | |||
[https://nixos.org/manual/nixos/unstable/index.html#sec-luks-file-systems NixOS Manual - LUKS-Encrypted File Systems] | |||
==== Isolation ==== | |||
These are features which can limit a process or package's access to the host system. | |||
===== Flatpak support ===== | |||
[https://en.wikipedia.org/wiki/Flatpak Flatpak]'ed applications are [https://docs.flatpak.org/en/latest/sandbox-permissions.html sandboxed] and require explicit privilege declaration for most access outside their own path. NixOS includes [https://nixos.org/manual/nixos/unstable/index.html#module-services-flatpak support for Flatpak]. Note that, since Flatpak application dependencies are [https://stackoverflow.com/questions/26217488/what-is-vendoring bundled/vendored], this introduces other security risks for the application [https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/]. | [https://en.wikipedia.org/wiki/Flatpak Flatpak]'ed applications are [https://docs.flatpak.org/en/latest/sandbox-permissions.html sandboxed] and require explicit privilege declaration for most access outside their own path. NixOS includes [https://nixos.org/manual/nixos/unstable/index.html#module-services-flatpak support for Flatpak]. Note that, since Flatpak application dependencies are [https://stackoverflow.com/questions/26217488/what-is-vendoring bundled/vendored], this introduces other security risks for the application [https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/]. | ||
==== Containers ==== | ===== Containers ===== | ||
NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, | NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, do not provide much security. They are, oversimplifying a lot, a [https://en.wikipedia.org/wiki/Chroot chroot] environment with some resource constraints ([https://en.wikipedia.org/wiki/Cgroups cgroups]). The root user in a container would also be root on the whole system though. To avoid this, you must use ''unprivileged containers''. There are some complications to this. The end of [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html this post] covers them well in brief. | ||
===== References ===== | ===== References ===== | ||
| Line 38: | Line 52: | ||
* [https://stgraber.org/2014/01/01/lxc-1-0-security-features/ LXC 1.0 Release, Security Features Coverage (user namespaces, unprivileged containers)] | * [https://stgraber.org/2014/01/01/lxc-1-0-security-features/ LXC 1.0 Release, Security Features Coverage (user namespaces, unprivileged containers)] | ||
== Nix | == Nix official references == | ||
* [https://nixos.org/manual/nix/stable/#ch-nix-security Nix Manual - Security Chapter] | * [https://nixos.org/manual/nix/stable/#ch-nix-security Nix Manual - Security Chapter] | ||
Revision as of 05:30, 27 September 2021
Overview
This page is a guide to securing NixOS. Topics like hardening, process isolation, virtualization, firewalls, SELinux, containers, sandboxes, encryption, VPNs, etc. are in scope.
What Nix already gives you
Core features
These are security elements that are core features of using Nix(OS).
Obscurity of Nix store
In a vanilla NixOS system, the typical Linux filesystem hierarchy is, in large part, replaced with the Nix store's user environments. This means that some malware which might rely on finding system tools in particular places might fail. This is a form of security through obscurity and is only a minor layer of protection.
Effort to isolate runtime search paths
In general, there is an effort to avoid rpath collisions across users [1].
Multi-user installation
NixOS is automatically installed in Multi-User mode. For standalone-Nix, the manual covers multi-user installs. This allows multiple users to have isolated store environments and to avoid them having access to root in order to install their personal applications (achieved by having build users which nix operations are delegated to).
Supported
These are features which are easily supported using Nix(OS).
Encryption
These are features which can protect data on a system.
Filesystem encryption
NixOS has LUKS partition-level disk encryption support.
NixOS Manual - LUKS-Encrypted File Systems
Isolation
These are features which can limit a process or package's access to the host system.
Flatpak support
Flatpak'ed applications are sandboxed and require explicit privilege declaration for most access outside their own path. NixOS includes support for Flatpak. Note that, since Flatpak application dependencies are bundled/vendored, this introduces other security risks for the application [2].
Containers
NixOS includes support for Linux Containers (LXC). Containers, by default, do not provide much security. They are, oversimplifying a lot, a chroot environment with some resource constraints (cgroups). The root user in a container would also be root on the whole system though. To avoid this, you must use unprivileged containers. There are some complications to this. The end of this post covers them well in brief.
References
- NixOS Manual - Administration: Containers Chapter. ** The manual — notably — currently has no mention of using unprivileged containers.
- LXC 1.0 Release, Security Features Coverage (user namespaces, unprivileged containers)
Nix official references