Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

debian/authd.service: Use even more restrictive access for authd #740

Merged
merged 4 commits into from
Jan 20, 2025
Merged

debian/authd.service: Use even more restrictive access for authd #740

merged 4 commits into from
Jan 20, 2025

Conversation

3v1n0
Copy link
Collaborator

@3v1n0 3v1n0 commented Jan 18, 2025

Limit the authd access on system resources even more, to prevent unexpected behaviors.

UDENG-5583

3v1n0 added 4 commits January 18, 2025 05:18
@3v1n0
debian/authd.service: Use private network for authd
5d16586 
Authd doesn't require network access (the brokers may), but the daemon
can safaly live without any network access, we only care about being
able to connect to unix sockets!
@3v1n0
debian/authd.service: Define and create systemd default paths
1d8254a 
We're using these paths in authd too, so let's just make it clearer in
the service file.
@3v1n0
debian/authd.service: Limit access to various well known system paths
fb9d76a 
authd should not care about having access to most of system places so
let's restrict the process even more.
@3v1n0
debian/authd.service: Give read-only access to main sensitive /etc paths
c55b79b 
While we can't use /etc in read-only mode via ProtectSystem=full,
because we use gpasswd to write on /etc/groups and /etc/gshadow, we can
still limit the access to the most sensible /etc paths.
@3v1n0 3v1n0 requested a review from a team as a code owner January 18, 2025 04:25
@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.11%. Comparing base (36511cd) to head (c55b79b).
Report is 205 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #740      +/-   ##
==========================================
- Coverage   83.43%   83.11%   -0.33%     
==========================================
  Files          83       96      +13     
  Lines        8689     9588     +899     
  Branches       74       74              
==========================================
+ Hits         7250     7969     +719     
- Misses       1111     1236     +125     
- Partials      328      383      +55

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

didrocks
didrocks approved these changes Jan 20, 2025
View reviewed changes
Copy link
Member

@didrocks didrocks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for this great addition and care (that will make the future MIR process easier). The amount of descriptions for each settings is excellent and will be really helpful in the future.

Great work!

debian/authd.service.in Show resolved Hide resolved
@3v1n0 3v1n0 merged commit ab2da28 into ubuntu:main Jan 20, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@didrocks didrocks didrocks approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@3v1n0 @codecov-commenter @didrocks