Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Tip : systemd, capabilities and rootless nginx
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
serafean
n00b
n00b


Joined: 11 Apr 2016
Posts: 2

PostPosted: Mon Apr 11, 2016 9:40 am    Post subject: Tip : systemd, capabilities and rootless nginx Reply with quote

Hi all,

I wanted to try out how powerful systemd unit files are, so came up with this challenge : start nginx rootless, with as less access as possible, listening on ports 80 and 443.

Software versions : systemd-229, linux-4.5, nginx 1.8.1

The unit file:
Code:
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target

[Service]
User=nginx
Group=nginx
Type=forking
PIDFile=/var/run/nginx/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill -QUIT $MAINPID

#Security
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
ReadOnlyDirectories=/etc/ssl/nginx
ReadWriteDirectories=/var/log/nginx /var/www/
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes

[Install]
WantedBy=multi-user.target

First off was giving nginx the capability to bind ports 443 and 80, this was done with AmbientCapabilities and CapabilityBoundingSet.
Then locking it out of the rest of the system.
  • PrivateDevices - Hides all device nodes (except for random, null, and some others)
  • PrivateTmp - mounts a separate tmp that is used only by nginx (namespaces are used AFAIK)
  • ProtectHome - Disables access to /home and /root
  • ProtectSystem - enables only read access to most of the FS

Finally, poking holes in the lock :
  • ReadOnlyDirectories - disable writing to dir containing SSL certificates. Since running as user nginx requires all these to have nginx of their owner, nginx could theoretically overwrite its certificates. This prevents that.
  • ReadWriteDirectories - Allow rw access to log directory, and to data directory.

It works, I haven't found anything broken (yet).
This concept is reusable : I've adapted it to tvheadend, dnsmasq and radvd. I'm hoping to convert more of my unit files so as to have less services dependend on them dropping their privileges.
The greatest pain are PID files : /run isn't writeable by non-root processes, so for each such a service, there has to exist an entry in /etc/tmpfiles.d creating /run/${SERVICE_NAME}/ with appropriate access rights, so the PID file can be written somewhere.

Here's to hoping someone finds this useful :)
Comments very welcome.

Serafean.
Back to top
View user's profile Send private message
serafean
n00b
n00b


Joined: 11 Apr 2016
Posts: 2

PostPosted: Sun Apr 17, 2016 11:40 am    Post subject: Reply with quote

After a week running in this mode, I deem it usable :)
Joining dnsmasq.service.
Code:
[Unit]
Description=A lightweight DHCP and caching DNS server
After=network.target

[Service]
User=dnsmasq
Group=dnsmasq
Type=simple
PIDFile=/var/run/dnsmasq/dnsmasq.pid
ExecStartPre=/usr/sbin/dnsmasq --test
ExecStart=/usr/sbin/dnsmasq -k -x /var/run/dnsmasq/dnsmasq.pid
ExecReload=/bin/kill -HUP $MAINPID

#Security
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes

[Install]
WantedBy=multi-user.target
And radvd.service
Code:
[Unit]
Description=Router advertisement daemon for IPv6
Documentation=man:radvd(8)
After=network.target

[Service]
User=radvd
Group=radvd
Type=forking
ExecStartPre=/usr/sbin/radvd --configtest
ExecStart=/usr/sbin/radvd --logmethod stderr --debug 0
ExecReload=/usr/sbin/radvd --configtest ; \
           /bin/kill -HUP $MAINPID
PIDFile=/run/radvd/radvd.pid

# Performance
CPUSchedulingPolicy=idle

#Hardening
CapabilityBoundingSet=CAP_NET_BIND_SERVICE  CAP_NET_RAW
AmbientCapabilities=CAP_NET_BIND_SERVICE  CAP_NET_RAW
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes

[Install]
WantedBy=multi-user.target
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum