Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systemd service sandboxing and security hardening #158

Closed
wants to merge 2 commits into from
Closed

systemd service sandboxing and security hardening #158

wants to merge 2 commits into from

Conversation

hakavlad
Copy link
Contributor

The new unit should enhance security without compromising functionality.

@hakavlad
systemd service sandboxing and security hardening
a057d9c 
The new unit should enhance security without compromising functionality.
@hakavlad
Copy link
Contributor Author

hakavlad commented Feb 11, 2020
edited
Loading

Adding a new daemon with superuser privileges was seen by many peoples as an argument against enabling earlyoom by default in Fedora.

Such applications run with super-user privileges and has full access to all private memory of all processes and sensitive user data. This is a huge security breach.

-- @xvitaly, https://pagure.io/fedora-workstation/issue/98#comment-612913

this should not be a root daemon anyway. It only needs one cap:
CAP_SYS_KILL. Hence, drop privs to some user of its own, and keep that
one cap. Use AmbientCapabilities= in the unit file.

-- Lennart, https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/YBX4TTRXHKB3ZHXFGWFRNBONHZPWM3IJ/

See also:

I use a similar setup and have no problem: https://github.com/hakavlad/nohang/blob/master/nohang/nohang.service.in

Do you have any questions?

ignatenkobrain
ignatenkobrain reviewed Feb 11, 2020
View reviewed changes
earlyoom.service.in Outdated Show resolved Hide resolved
@rfjakob
Copy link
Owner

rfjakob commented Feb 12, 2020

I think we should make this as limited as possible and ignore the notifications.

In other words, don't run as root.

rfjakob added a commit that referenced this pull request Feb 12, 2020
@rfjakob
earlyoom.service: drop root privileges
f2b45e6 
Run as a random unprivilege user instead of as root,
but add the capabilities CAP_KILL CAP_IPC_LOCK.

Supersedes #158
@rfjakob
Copy link
Owner

rfjakob commented Feb 12, 2020

I have gone for the must secure approach here: f2b45e6

If the user wants GUI notifications, they have to comment out DynamicUser=true.

@rfjakob rfjakob closed this Feb 12, 2020
@lyeoh
Copy link

lyeoh commented Mar 3, 2020

In case anyone else gets stuck, I've needed to change ProtectHome=true to ProtectHome=read-only in addition to DynamicUser=true, to get GUI notifications.

@nikita-moor
Copy link

Clarify, please, what should I do to enable GUI notifications:

  • DynamicUser=true (or false?) - commentaries of @rfjakob and @lyeoh are contradicting
  • ProtectHome=read-only

@hakavlad
Copy link
Contributor Author

hakavlad commented Mar 3, 2020
edited
Loading

@nikita-moor

#DynamicUser=false

#In fact this is already implemented due to ProtectSystem=strict. Just comment this!
ProtectHome=read-only

Just comment DynamicUser and ProtectHome.

@hakavlad
Copy link
Contributor Author

hakavlad commented Mar 3, 2020

@rfjakob I suggest to provide and install earlyoom-root.service with package

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ignatenkobrain ignatenkobrain ignatenkobrain left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@hakavlad @rfjakob @lyeoh @nikita-moor @ignatenkobrain