Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

debian/authd.service: Use even more restrictive access for authd #740

Merged
merged 4 commits into from
Jan 20, 2025
+59 −0
Merged

debian/authd.service: Use even more restrictive access for authd #740

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5d16586
debian/authd.service: Use private network for authd
3v1n0 Jan 17, 2025
1d8254a
debian/authd.service: Define and create systemd default paths
3v1n0 Jan 18, 2025
fb9d76a
debian/authd.service: Limit access to various well known system paths
3v1n0 Jan 18, 2025
c55b79b
debian/authd.service: Give read-only access to main sensitive /etc paths
3v1n0 Jan 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions debian/authd.service.in
View file
Original file line number Diff line number Diff line change
@@ -14,6 +14,8 @@ MemoryDenyWriteExecute=yes
NoNewPrivileges=true
PrivateDevices=yes
PrivateMounts=yes
PrivateNetwork=yes
RestrictAddressFamilies=AF_UNIX
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
@@ -26,6 +28,63 @@ RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native

# This always corresponds to /var/cache/authd
CacheDirectory=authd
CacheDirectoryMode=0700

# This always corresponds to /var/lib/authd
StateDirectory=authd
StateDirectoryMode=0700

# This always corresponds to /etc/authd
ConfigurationDirectory=authd
ConfigurationDirectoryMode=0700

# Prevent writing to /usr and bootloader paths.
# We don't use "full" or "strict", because home paths can be anywhere and so we need
# to be able to write on / subfolders, excluding some we want to explicitly protect.
ProtectSystem=true

# This is similar to ProtectHome=read-only but we exclude /home since we may need to rename
# the user directories
ReadOnlyPaths=-/root
ReadOnlyPaths=-/run/user

# Deny access to places that we should not touch
ReadOnlyPaths=-/bin
ReadOnlyPaths=-/sbin
ReadOnlyPaths=-/lib
TemporaryFileSystem=/media:ro
TemporaryFileSystem=/snap:ro
TemporaryFileSystem=/var:ro
BindReadOnlyPaths=-/var/run/dbus
InaccessiblePaths=-/lost+found

# We need to be able to change /etc/group and /etc/gshadow, this is not great
# but it's required for local groups access. We can't just make those accessible
# via TemporaryFileSystem + Binds because we'd still get a write failure on rename.
ReadWritePaths=/etc

# Still let's protect some important etc paths.
BindReadOnlyPaths=-/etc/environment
BindReadOnlyPaths=-/etc/fstab
BindReadOnlyPaths=-/etc/localtime
BindReadOnlyPaths=-/etc/login.defs
BindReadOnlyPaths=-/etc/nsswitch.conf
BindReadOnlyPaths=-/etc/passwd
BindReadOnlyPaths=-/etc/shadow
BindReadOnlyPaths=-/etc/subgid
BindReadOnlyPaths=-/etc/sudo.conf
BindReadOnlyPaths=-/etc/sudoers
BindReadOnlyPaths=-/etc/sysctl.conf
BindReadOnlyPaths=-/etc/timezone
InaccessiblePaths=-/etc/apt
InaccessiblePaths=-/etc/default
InaccessiblePaths=-/etc/ssh
InaccessiblePaths=-/etc/systemd
ReadOnlyPaths=-/etc/pam.d
ReadOnlyPaths=-/etc/security

# Only permit system calls used by common system services, excluding any special purpose calls
SystemCallFilter=@system-service