selfprivacy-api and selfprivacy-api-worker systemd services hardening #36

New Issue

Open

opened 2023-07-01 04:19:45 +03:00 by alexoundos · 2 comments

alexoundos commented 2023-07-01 04:19:45 +03:00

Collaborator

Currently, selfprivacy-api service runs under root user! In addition to that, none of the systemd hardening options are in use. Common options are described here.

As for selfprivacy-api-worker service it is unclear which privileges it must have.

Currently, [`selfprivacy-api` service runs under `root` user](https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/src/commit/65b5a1977756549240eae05005d1f6b5feef126d/api/api-module.nix#L65)! In addition to that, none of the systemd hardening options are in use. Common options are described [here](https://git.selfprivacy.org/alexoundos/articles/src/branch/master/article.md#common-hardening-options-execution-environment-configuration). As for `selfprivacy-api-worker` service it is unclear which privileges it must have.

alexoundos commented 2023-07-01 04:26:28 +03:00

Poster

Collaborator

Currently, selfprivacy-api service needs access to /etc/nixos/userdata/userdata.json file, which is only accessible by root user (owned by root with 600 mode). It needs to be decided how we change userdata.json file permissions (and maybe its location).

Currently, `selfprivacy-api` service needs access to `/etc/nixos/userdata/userdata.json` file, which is only accessible by `root` user (owned by `root` with 600 mode). It needs to be decided how we change `userdata.json` file permissions (and maybe its location).

alexoundos commented 2024-04-17 21:10:57 +03:00

Poster

Collaborator

Today (2024-04-17) we decided that SelfPrivacy API service:

1. needs to be first modified to call systemd services for tasks, which require root access.
2. will be given permission to start only those systemd services, which are:
   • listed in SP module definition
   • hardcoded
3. will most likely be granted permissions from security.sudo.extraRules, populated with specific systemd start commands (with services names from SP modules definitions and hardcoded ones)

Today (2024-04-17) we decided that SelfPrivacy API service: 1. needs to be first modified to call systemd services for tasks, which require root access. 2. will be given permission to start only those systemd services, which are: - listed in SP module definition - hardcoded 3. will most likely be granted permissions from `security.sudo.extraRules`, populated with specific `systemd start` commands (with services names from SP modules definitions and hardcoded ones)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

inex/test-collect-garbage

flakes

inex/test-autobackup

inex/test-systemd-rebuild

master

pre-release

flake-to-override-folder

flake-to-override

systemd-limits

ldap

api-redis

pleroma-fixes

development

rolling-testing

Labels

Clear labels   

Contributions welcome

  

Service packaging

  

bug

Something is not working   

duplicate

This issue or pull request already exists   

enhancement

New feature   

help wanted

Need some help   

invalid

Something is wrong   

question

More information is needed   

wontfix

This won't be fixed

No Label

Contributions welcome

Service packaging

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: SelfPrivacy/selfprivacy-nixos-config#36

There is no content yet.