selfprivacy-api and selfprivacy-api-worker systemd services hardening #36
Labels
No Label
Contributions welcome
Service packaging
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: SelfPrivacy/selfprivacy-nixos-config#36
Loading…
Reference in New Issue
There is no content yet.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?
Currently,
selfprivacy-api
service runs underroot
user! In addition to that, none of the systemd hardening options are in use. Common options are described here.As for
selfprivacy-api-worker
service it is unclear which privileges it must have.Currently,
selfprivacy-api
service needs access to/etc/nixos/userdata/userdata.json
file, which is only accessible byroot
user (owned byroot
with 600 mode). It needs to be decided how we changeuserdata.json
file permissions (and maybe its location).Today (2024-04-17) we decided that SelfPrivacy API service:
security.sudo.extraRules
, populated with specificsystemd start
commands (with services names from SP modules definitions and hardcoded ones)