docs: add a topic about security #433

daniloegea · 2024-01-10T17:38:24Z

Description

Checklist

Runs make check successfully.
Retains 100% code coverage (make check-coverage).
New/changed keys in YAML format are documented.
(Optional) Adds example YAML for new feature.
(Optional) Closes an open bug in Launchpad.

slyon

Thank you, lgtm! (beside some small spelling nitpicks)

But I'd like to see @rkratky's sign-off on this, too.

doc/.wordlist.txt

rkratky

@daniloegea Thank you for the addition of the topic. I left some comments and suggestions.

doc/.wordlist.txt

rkratky · 2024-01-11T16:34:57Z

doc/security.md

@@ -0,0 +1,45 @@
+---
+title: "Netplan Security"


Suggested change

title: "Netplan Security"

title: "Netplan security"

rkratky · 2024-01-11T16:35:23Z

doc/security.md

+
+## Storing credentials
+
+Credentials, such as VPN keys and wifi passwords, are stored along with the rest


Suggested change

Credentials, such as VPN keys and wifi passwords, are stored along with the rest

Credentials, such as VPN keys and Wi-Fi passwords, are stored along with the rest

rkratky · 2024-01-11T16:50:56Z

doc/security.md

+## Storing credentials
+
+Credentials, such as VPN keys and wifi passwords, are stored along with the rest
+of the configuration in YAML files. Netplan expects that all your YAML files


"Netplan expects" is an anthropomorphism. Let's try to avoid it. In order to reword the sentence, could you please clarify if it is a hard requirement for the YAML files to be owned by root and only readable by root (i.e. would Netplan fail to function properly if this condition was not met)?

It's not a hard requirement. I guess something like The recommended set of permissions is... would be better.

rkratky · 2024-01-11T16:51:11Z

doc/security.md

+
+Credentials, such as VPN keys and wifi passwords, are stored along with the rest
+of the configuration in YAML files. Netplan expects that all your YAML files
+will belong to the root user and only have permissions to be read by root (`chmod 600`).


Suggested change

will belong to the root user and only have permissions to be read by root (`chmod 600`).

belong to the root user and only have permissions to be read by root (`chmod 600`).

Unless there's something really temporal happening, try to avoid using any other tense but present.

rkratky · 2024-01-11T17:07:09Z

doc/security.md

+run unit tests and the Netplan generator against a number of YAML files. This helps
+us to detect issues, such as memory leaks and buffer overflows, at runtime using real
+configuration as input. When a memory issue is detected the process will crash, letting
+us know that some issue was introduced in the change.


Suggested change

us know that some issue was introduced in the change.

that some issue was introduced in the change.

rkratky · 2024-01-11T17:07:27Z

doc/security.md

+configuration as input. When a memory issue is detected the process will crash, letting
+us know that some issue was introduced in the change.
+
+Every time a Pull Request is created or changes are merged to the main branch,


Suggested change

Every time a Pull Request is created or changes are merged to the main branch,

Every time a pull request is created or changes are merged to the main branch,

rkratky · 2024-01-11T17:08:16Z

doc/security.md

+us know that some issue was introduced in the change.
+
+Every time a Pull Request is created or changes are merged to the main branch,
+these tests will be executed and, if a crash happens, the workflow will fail. 


Suggested change

these tests will be executed and, if a crash happens, the workflow will fail.

CI executes these tests, and, if a crash happens, the workflow fails.

rkratky · 2024-01-11T17:15:48Z

doc/security.md

+## Binary package hardening
+
+On Ubuntu and Debian, Netplan is built (and in fact most of the binary packages are)
+with a number of security flags that will apply some hardening to the resulting binary.


Suggested change

with a number of security flags that will apply some hardening to the resulting binary.

with a number of security flags that apply some hardening to the resulting binary.

rkratky · 2024-01-11T18:39:27Z

doc/security.md

+On Ubuntu and Debian, Netplan is built (and in fact most of the binary packages are)
+with a number of security flags that will apply some hardening to the resulting binary.
+That is intended to make the life of attackers harder in case any security issue is
+discovered. See `dpkg-buildflags(1)` for details.


Suggested change

discovered. See `dpkg-buildflags(1)` for details.

discovered. See the `dpkg-buildflags(1)` manual page for details.

daniloegea · 2024-01-12T10:48:53Z

Thank you folks. I tried to address all the issues you have found. Please, let me know if there is anything else to improve.

slyon approved these changes Jan 11, 2024

View reviewed changes

doc/.wordlist.txt Outdated Show resolved Hide resolved

doc/.wordlist.txt Outdated Show resolved Hide resolved

slyon requested a review from rkratky January 11, 2024 16:05

rkratky requested changes Jan 11, 2024

View reviewed changes

docs: add a topic about security

024a203

daniloegea force-pushed the security_topic_docs branch from 6c88df9 to 024a203 Compare January 12, 2024 10:44

daniloegea requested a review from rkratky January 12, 2024 10:48

rkratky approved these changes Jan 17, 2024

View reviewed changes

daniloegea merged commit aa9c427 into canonical:main Jan 17, 2024
5 checks passed

slyon added the documentation Documentation improvements. label Jan 31, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

docs: add a topic about security #433

docs: add a topic about security #433

daniloegea commented Jan 10, 2024

slyon left a comment

rkratky left a comment

rkratky Jan 11, 2024

rkratky Jan 11, 2024

rkratky Jan 11, 2024

daniloegea Jan 12, 2024

rkratky Jan 11, 2024

rkratky Jan 11, 2024

rkratky Jan 11, 2024

rkratky Jan 11, 2024

rkratky Jan 11, 2024

rkratky Jan 11, 2024

daniloegea commented Jan 12, 2024


		## Storing credentials

		Credentials, such as VPN keys and wifi passwords, are stored along with the rest

	Credentials, such as VPN keys and wifi passwords, are stored along with the rest
	Credentials, such as VPN keys and Wi-Fi passwords, are stored along with the rest

	will belong to the root user and only have permissions to be read by root (`chmod 600`).
	belong to the root user and only have permissions to be read by root (`chmod 600`).

	us know that some issue was introduced in the change.
	that some issue was introduced in the change.

	Every time a Pull Request is created or changes are merged to the main branch,
	Every time a pull request is created or changes are merged to the main branch,

	these tests will be executed and, if a crash happens, the workflow will fail.
	CI executes these tests, and, if a crash happens, the workflow fails.

	with a number of security flags that will apply some hardening to the resulting binary.
	with a number of security flags that apply some hardening to the resulting binary.

	discovered. See `dpkg-buildflags(1)` for details.
	discovered. See the `dpkg-buildflags(1)` manual page for details.

docs: add a topic about security #433

docs: add a topic about security #433

Conversation

daniloegea commented Jan 10, 2024

Description

Checklist

slyon left a comment

Choose a reason for hiding this comment

rkratky left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

daniloegea commented Jan 12, 2024