From 8d3cc9c5247ce3353f1f9a2ce63bda22cb78b287 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20H=C3=A4rdeman?= Date: Fri, 20 Oct 2023 14:25:07 +0200 Subject: [PATCH] [gssproxy] Harden systemd .service file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Most of the configuration options should be straightforward. The previous version of the .service file contained a comment that NoNewPrivileges=yes breaks the ability to open a socket under /var/lib/gssproxy. That does not appear to be correct because ProtectClock=yes was already set, which enables NoNewPrivileges. Furthermore, the comment for ProtectKernelTunables also appears to be incorrect, because it doesn't make all of /proc read-only (it's only /proc/sys/, /sys/, /proc/sysrq-trigger, /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq, see man systemd.exec(5)), so /proc/net/rpc/use-gss-proxy is still writeable. Perhaps it was a mixup with ProtectProc? With this applied, the "systemd-analyze security gssproxy" score goes from 8.4 (EXPOSED) to 1.7 (OK). Tested with nfs-kernel-server, some more testing in other scenarios might still be necessary. Also, note that this expects all RW data to be stored under /var/lib/gssproxy, /root, /home or /run/user. Signed-off-by: David Härdeman --- systemd/gssproxy.service.in | 63 +++++++++++++++++++++++++++---------- 1 file changed, 46 insertions(+), 17 deletions(-) diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in index 9795807..a3f65e0 100644 --- a/systemd/gssproxy.service.in +++ b/systemd/gssproxy.service.in @@ -5,7 +5,8 @@ After=syslog.target network.target Before=rpc-gssd.service [Service] -StateDirectory=gssproxy/clients gssproxy/rcache +ConfigurationDirectory=gssproxy +StateDirectory=gssproxy gssproxy/clients gssproxy/rcache Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache ExecStart=@sbindir@/gssproxy -i # This can be changed to notify-reload and ExecReload= can be removed once @@ -13,22 +14,50 @@ ExecStart=@sbindir@/gssproxy -i Type=notify ExecReload=/bin/kill -HUP $MAINPID -ProtectSystem=full -ProtectClock=true -ProtectKernelLogs=true -ProtectControlGroups=true -RestrictRealtime=true -# NoNewPrivileges: when true breaks the ability to open a socket -# under /var/lib/gssproxy so no NoNewPrivileges -# PrivateTmp: can't be used as it hides ccaches stored in /tmp -# ProtectHome: blocks access to /home which may hold ccaches -# ProtectHostname: blocks propagation of hostname on change -# but in some cases, when using a keytab, we may want to see hostname -# changes as the server will want to respond only for the system name -# ProtectKernelTunables: blocks ability to write to proc. -# on startup gssproxy needs to write in proc to let nfsd know it can -# use the "new" gssproxy method instead of the old rpc stuff. - +ProtectSystem=strict +PrivateDevices=yes +PrivateNetwork=yes +PrivateIPC=yes +# Blocks access to /home which may hold ccaches, also breaks euid mappings +PrivateUsers=no +# For now, read-writeable ccaches in /tmp, /root, /home and /run/user are +# allowed, if you know that no such ccaches are used on your system, you might +# want to override these defaults with a drop-in (see man systemd.unit(5)) +# like this (stored in e.g. /etc/systemd/system/gssproxy.d/override.conf): +# [Service] +# PrivateTmp=yes +# ProtectHome=tmpfs +# ReadWritePaths= +PrivateTmp=no +ProtectHome=no +ReadWritePaths=/root /home /run/user +# Blocks propagation of hostname on change but when using a keytab, we want to +# see hostname changes as the server will want to respond only for that name +ProtectHostname=no +ProtectClock=yes +# Does *not* block rw access to /proc/net/rpc/use-gss-proxy +ProtectKernelTunables=yes +# Blocks access to /proc/net/rpc/use-gss-proxy and executable name matching +ProtectProc=default +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX AF_LOCAL +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +PrivateMounts=yes +# Stricter version: +# SystemCallFilter=@default @basic-io @file-system @io-event @network-io @signal @ipc @process madvise umask uname +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native +NoNewPrivileges=yes +CapabilityBoundingSet=CAP_DAC_OVERRIDE +IPAddressDeny=any +UMask=0177 [Install] WantedBy=multi-user.target