alexoundos
/
articles
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix mistakes; explain where to insert presented code

nixos-config-re
Alexander Tomokhov 2023-06-30 20:20:33 +04:00
parent 28feeaab77
commit 60faf1b712
1 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
article.md
View File

@ -51,7 +51,7 @@ There is [no universal way](https://github.com/NixOS/nixpkgs/pull/87661#issuecom
NixOS provides many services, available as `services.<name>.*`, which already have more or less hardening implemented by the means of systemd. For example, `services.nginx`, `services.gitea`, `services.jitsi-meet`, `services.redis`. At least, these services run under specific system non-`root` users without access to spawn a shell.
There are, however, services like `services.dovecot2`, `services.postfix` and `services.nextcloud`, which use their own means to spawn sub-processes under a specific user by a master process. Such master process is run under `root`. For example, nextcloud uses `php:fpm` ([PHP FastCGI Process Manager](https://php-fpm.org/)). Obviously, shell can be spawned by such processes and a lot more, but they do not have network connections outside world and intended specifically for process/workers management and logging. Ideally, we would want them to be run under non-`root` user regardless, but usually [it's not easy](https://github.com/docker-library/php/issues/70#issuecomment-1386729923) [to do](https://github.com/NixOS/nixpkgs/pull/93305/files#r456125288) and upstream might not expect such usage.
There are, however, services like `services.dovecot2`, `services.postfix` and `services.nextcloud`, which use their own means to spawn sub-processes under a specific user by a master process. Such master process is run under `root`. For example, nextcloud uses `php:fpm` ([PHP FastCGI Process Manager](https://php-fpm.org/)). Obviously, shell can be spawned by such processes and a lot more, but they do not have network connections with outside world and intended specifically for process/workers management and logging. Ideally, we would want them to be run under non-`root` user regardless, but usually [it's not easy](https://github.com/docker-library/php/issues/70#issuecomment-1386729923) [to do](https://github.com/NixOS/nixpkgs/pull/93305/files#r456125288) and upstream might not expect such usage.
_Btw, if your systemd service code gets large and you want to wrap it into something more esthetic, you [can](https://nixos.wiki/wiki/Extend_NixOS) [write your own NixOS service module](https://scvalex.net/posts/58/)._
@ -59,11 +59,11 @@ _Btw, if your systemd service code gets large and you want to wrap it into somet
These options are described in [official systemd execution environment configuration](https://www.freedesktop.org/software/systemd/man/systemd.exec.html). Note, that many of these may cause your service malfunction or even crash. So, always test after applying them.
```nix
# (refer to [capabilities man page](https://www.man7.org/linux/man-pages/man7/capabilities.7.html))
AmbientCapabilities = [ "" ];
The following code can be specified inside the curly brackets here `systemd.service.<name>.serviceConfig = { ... };`, where `<name>` is the placeholder for a real name of a service you set these options for:
# this can be enough for some web services
```nix
# these capabilities can be enough for some web services
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
DynamicUser = true;
@ -110,6 +110,8 @@ SystemCallFilter = [ "@system-service" "~@cpu-emulation" "~@debug" "~@keyring" "
SystemCallFilter = [ "~@ipc" ];
```
Refer to [`man capabilities`](https://www.man7.org/linux/man-pages/man7/capabilities.7.html) for values of `AmbientCapabilities` and `CapabilityBoundingSet` options.
### some very specific hardening options (resource control unit settings)
These options are described in [official systemd resource control documentation](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#Options).
@ -196,7 +198,7 @@ _By specifying `1`, we're instructing `iptables` to insert the rule at the begin
- `journalctl -b-1 -u <name>` - in case you want to see logs only for previous boot
- `systemd-analyze security` - show security summary for all running services ("`SAFE`", "`EXPOSED`" and "`UNSAFE`" do not mean the factual situation, rather whether various systemd hardedning features are in use or not)
- `systemd-analyze security <name>` - show more detailed analysis for the specified service
- `htop` using tree view (`F5`) - to inspect the whole tree of processes/threads
- `htop` using tree view (`F5`) - to inspect the whole tree of processes/threads (`nix-shell -p htop --run htop` if you don't have it installed)
### cgroups
@ -264,6 +266,6 @@ As for NixOS, it also features `security.apparmor`, `security.audit` and even `p
- [security in NixOS overview wiki page](https://nixos.wiki/wiki/Security)
- [utility for validating nix store for packages affected by vulnerabilities](https://github.com/nix-community/vulnix)
- [example of the complex security hardening in NixOS](https://github.com/fort-nix/nix-bitcoin#security)
- [Limit the impact of a security intrusion with systemd directives article](https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html)
- [Hardening Applications with systemd](https://blog.sergeantbiggs.net/posts/hardening-applications-with-systemd/)
- [Systemd Hardening options explained](https://docs.arbitrary.ch/security/systemd.html)
- [limit the impact of a security intrusion with systemd directives article](https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html)
- [hardening applications with systemd](https://blog.sergeantbiggs.net/posts/hardening-applications-with-systemd/)
- [systemd hardening options explained](https://docs.arbitrary.ch/security/systemd.html)