-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: create and package systemd units #151
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #151 +/- ##
==========================================
+ Coverage 88.62% 88.83% +0.20%
==========================================
Files 34 35 +1
Lines 2532 2650 +118
==========================================
+ Hits 2244 2354 +110
- Misses 221 228 +7
- Partials 67 68 +1 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, just some minor comments.
aa408a1
to
b0d150b
Compare
Create systemd units for the socket-activated daemon and install them in the built deb. As the daemon only communicates via D-Bus (via Unix sockets) we can activate almost all hardening options provided by systemd, lowering the exposure level reported by `systemd-analyze security` from 9.8 to 1.8. Because config/cache paths are configurable (and writable) I avoided enabling ProtectSystem which mounts the system read-only. Fixes UDENG-1877
b0d150b
to
ae68d5c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work! This is quite a protected service / set of units, I though have some questions and I think some suggestions:
- did you try adding/removing users from system groups? I do not see anything blocking here, but still worth trying.
- especially as we are executing other subprocesses like gpasswd and see its effects (even if it’s only supposed to read /etc/passwd and edit /etc/groups).
- I think we should restrict the subprocesses we can execute to reduce the attack surface with
ExecPaths=
nested insideNoExecPaths
(setting it to gpasswd and getent). However, I didn’t have the time last months to test why it didn’t behave as expected, so if you can have some attempts on this…
Had a look with strace and it seems that Strangely enough, if I add the following directives to the service (taking gpasswd out of the picture) it won't start at all 🤔: NoExecPaths=/
ExecPaths=/sbin/authd
I can't really figure out what's going on so I'm inclined to keep these directives out of the service definition for now.
This is a good point, running |
- remove network restrictions which would hinder the proper functionality of getent over external protocols like LDAP - permit CAP_CHOWN capability for gpasswd - document some restrictions - use a glob approach to install services
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for doing those changes! Everything looks good from my side, with the big mistery of Exec permissions, but it’s something we will tackel in other places too anyway in the future.
Create systemd units for the socket-activated daemon and install them in the built deb.
As the daemon only communicates via D-Bus (via Unix sockets) we can activate almost all hardening options provided by systemd, lowering the exposure level reported by
systemd-analyze security
from 9.8 to 1.8. Looking at each of the options, the newest one we use isProcSubset
added in v247 available starting with Jammy.Because config/cache paths are configurable (and writable) I avoided enabling
ProtectSystem
which mounts the system read-only.I confirmed installing the deb will correctly enable
authd.socket
and immediately startauthd.service
.Fixes UDENG-1877