Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

systemd user units #58

Closed
arcticicestudio opened this issue Nov 15, 2017 · 0 comments
Closed

systemd user units #58

arcticicestudio opened this issue Nov 15, 2017 · 0 comments

Comments

@arcticicestudio
Copy link
Owner

arcticicestudio commented Nov 15, 2017

The new systemd snowblock should include user service units to

  1. automount the sync gocryptfs volume located in the Dropbox folder receiving the password stored in the GNOME keyring via secret-tool (libsecret). The service unit should be named igloosync-dropbox.
  2. automatically run a instance of the ssh-agent using the $SSH_AUTH_SOCK and let systemd manage the $SSH_AGENT_PID env

The new snowblock should include a documentation to describe the requirements for the igloosync-dropbox.service file. It should contain information

  • about how to create the required gocryptfs password stored- and received via secret-tool
  • about how to configure FUSE (libfuse) with the /etc/fuse.conf file to allow non-root users to specify the allow_other or allow_root mount options which overrides the security measure restricting file access to the filesystem owner, so that all users (including root) can access the files. This is necessary to access the files of the mounted gocryptfs volume with applications that are run via sudo. It is used in the pacman snowblock for the local package repository to prevent a Permission Denied exception when running pacman (e.g. sudo pacman -Sy) if the gocryptfs volume is not mounted with the -allow_other option. Please note that libfuse has a unresolved security bug when using the allow_other mount option as described in the official documentation, but is of little concern if the filesystem is accessible only to the mounting user which is the case since these are dotfiles for a personal system:

No other user (including root) can access the contents of the mounted filesystem (though this can be relaxed by allowing the use of the allow_other and allow_root mount options in /etc/fuse.conf)

If you intend to use the allow_other mount options, be aware that FUSE has an unresolved security bug: if the default_permissions mount option is not used, the results of the first permission check performed by the file system for a directory entry will be re-used for subsequent accesses as long as the inode of the accessed entry is present in the kernel cache - even if the permissions have since changed, and even if the subsequent access is made by a different user. This is of little concern if the filesystem is accessible only to the mounting user (which has full access to the filesystem anyway), but becomes a security issue when other users are allowed to access the filesystem (since they can exploit this to perform operations on the filesystem that they do not actually have permissions for).

This bug needs to be fixed in the Linux kernel and has been known since 2006 but unfortunately no fix has been applied yet. If you depend on correct permission handling for FUSE file systems, the only workaround is to use default_permissions (which does not currently support ACLs), or to completely disable caching of directory entry attributes.

snowsaw core plugin configuration

clean

The target path ~/.config/systemd/user should be cleaned before the link core plugin execution.

link

The target paths ~/.config/systemd/user for all unit files should be created by snowsaw if they doesn't exist yet.

The igloosync-dropbox.service unit file should only be linked for the archbook and igloo hosts while the ssh-agent.service file should be linked by default.

@arcticicestudio arcticicestudio added this to the 0.1.0 milestone Nov 15, 2017
@arcticicestudio arcticicestudio self-assigned this Nov 15, 2017
arcticicestudio added a commit that referenced this issue Nov 15, 2017
This commit for the new "systemd" (1) snowblock includes user service (2)
units (3) to

1. automount the "sync" gocryptfs (4) volume located in the Dropbox (5)
folder receiving the password stored in the GNOME Keyring (6) via
the "secret-tool" ("libsecret" (7)).
2. automatically run a instance of the "ssh-agent" (8) using the
"$SSH_AUTH_SOCK" and let systemd manage the "$SSH_AGENT_PID env.

>>> snowsaw core plugin configuration

>>>> clean

The target path "~/.config/systemd/user" is cleaned before the "link"
core plugin execution.

>>>> link

The target paths "~/.config/systemd/user" for all unit files will be
created by snowsaw if they doesn't exist yet.

The "igloosync-dropbox.service" unit file will be linked for the
"archbook" and "igloo" hosts while the "ssh-agent.service" file is
linked by default.

References:
  (1) https://wiki.archlinux.org/index.php/Systemd
  (2) https://www.freedesktop.org/software/systemd/man/systemd.service.html
  (3) https://www.freedesktop.org/software/systemd/man/systemd.unit.html
  (4) https://github.com/rfjakob/gocryptfs
  (5) https://www.dropbox.com
  (6) https://wiki.archlinux.org/index.php/GNOME/Keyring
  (7) https://wiki.gnome.org/Projects/Libsecret
  (8) https://wiki.archlinux.org/index.php/SSH_keys#ssh-agent

GH-58
arcticicestudio added a commit that referenced this issue Nov 16, 2017
This commit for the new "systemd" (1) snowblock includes user service (2)
units (3) to

1. automount the "sync" gocryptfs (4) volume located in the Dropbox (5)
folder receiving the password stored in the GNOME Keyring (6) via
the "secret-tool" ("libsecret" (7)).
2. automatically run a instance of the "ssh-agent" (8) using the
"$SSH_AUTH_SOCK" and let systemd manage the "$SSH_AGENT_PID env.

The new snowblock includes a documentation to describe the requirements
for the "igloosync-dropbox.service" file. It contains information

* about how to create the required "gocryptfs" password stored- and
received via "secret-tool"
* about how to configure FUSE (9) (libfuse (10)) with the "/etc/fuse.conf"
  file to allow non-root users to specify the "allow_other" or
  "allow_root" mount options which overrides the security measure
  restricting file access to the filesystem owner, so that all users
  (including root) can access the files.

>>> snowsaw core plugin configuration

>>>> clean

The target path "~/.config/systemd/user" is cleaned before the "link"
core plugin execution.

>>>> link

The target paths "~/.config/systemd/user" for all unit files will be
created by snowsaw if they doesn't exist yet.

The "igloosync-dropbox.service" unit file will be linked for the
"archbook" and "igloo" hosts while the "ssh-agent.service" file is
linked by default.

References:
  (1) https://wiki.archlinux.org/index.php/Systemd
  (2) https://www.freedesktop.org/software/systemd/man/systemd.service.html
  (3) https://www.freedesktop.org/software/systemd/man/systemd.unit.html
  (4) https://github.com/rfjakob/gocryptfs
  (5) https://www.dropbox.com
  (6) https://wiki.archlinux.org/index.php/GNOME/Keyring
  (7) https://wiki.gnome.org/Projects/Libsecret
  (8) https://wiki.archlinux.org/index.php/SSH_keys#ssh-agent
  (9) https://en.wikipedia.org/wiki/Filesystem_in_Userspace
  (10) https://github.com/libfuse/libfuse

GH-58
arcticicestudio added a commit that referenced this issue Nov 16, 2017
@arcticicestudio arcticicestudio removed their assignment Nov 18, 2017
arcticicestudio added a commit that referenced this issue Sep 15, 2018
Created a new snowblock for launchd (1) snowblock includes a user agent
defining a job to auto-mount the `sync` gocryptfs (2) volume located in
the Dropbox (3) folder receiving the password stored in the macOS
Keychain (4) via the macOS builtin system CLI tool `security`.

It also includes a documentation to describe the requirements for
the `com.arcticicestudio.igloo.launchd.igloosync` agent. It consists of
information about dependencies and how to create the required
`gocryptfs` password stored- and received via the macOS builtin system
CLI tool `security`.

Note that this is a macOS specific snowblock and therefore the
`com.arcticicestudio.igloo.launchd.igloosync-dropbox.plist` agent and
script file will only be linked for the `iceowl` host.

References:
  (1) https://wiki.freebsd.org/launchd
  (2) https://github.com/rfjakob/gocryptfs
  (3) https://www.dropbox.com
  (4) https://support.apple.com/guide/keychain-access/welcome/mac
    * http://www.launchd.info
    * launchd(1)
    * launchd.plist(5)
    * security(1)

Epic: GH-131
Related to GH-58
Closes GH-133
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant