From 0248e6493f5f62fb66a53132480a4812f4e7be9c Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Mon, 27 Jul 2020 17:26:45 +0000 Subject: [PATCH 1/2] systemd: lock down systemctl status Mitigates a security issue that allows unprivileged users to read other unprivileged user's processes' credentials from CGroup using `systemctl status`. --- modules/dbus.nix | 55 +++++++++++++++++++++++++++++++++ modules/modules.nix | 1 + modules/presets/secure-node.nix | 3 ++ 3 files changed, 59 insertions(+) create mode 100644 modules/dbus.nix diff --git a/modules/dbus.nix b/modules/dbus.nix new file mode 100644 index 0000000..000b0ff --- /dev/null +++ b/modules/dbus.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + inherit (config) nix-bitcoin-services; + dataDir = "/var/lib/dbus-hardening"; + # Mitigates a security issue that allows unprivileged users to read + # other unprivileged user's processes' credentials from CGroup using + # `systemctl status`. + dbus-hardening = pkgs.writeText "dbus.conf" '' + + + + + + + + + + + + + + ''; +in { + config = { + systemd.tmpfiles.rules = [ + "d '${dataDir}/etc/dbus-1/system.d' 0770 messagebus messagebus - -" + ]; + + services.dbus.packages = [ "${dataDir}" ]; + + systemd.services.hardeneddbus = { + description = "Install hardeneddbus"; + wantedBy = [ "multi-user.target" ]; + script = '' + cp ${dbus-hardening} ${dataDir}/etc/dbus-1/system.d/dbus.conf + chmod 640 ${dataDir}/etc/dbus-1/system.d/dbus.conf + ''; + serviceConfig = nix-bitcoin-services.defaultHardening // { + PrivateNetwork = "true"; + Type = "oneshot"; + User = "messagebus"; + ReadWritePaths = "${dataDir}"; + }; + }; + }; +} diff --git a/modules/modules.nix b/modules/modules.nix index 6eb1d04..dd6d936 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -15,6 +15,7 @@ ./lnd.nix ./secrets/secrets.nix ./netns-isolation.nix + ./dbus.nix ]; disabledModules = [ "services/networking/bitcoind.nix" ]; diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 7d5cfe3..2789f69 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -42,6 +42,9 @@ in { networking.firewall.enable = true; + # hideProcessInformation even if hardened kernel profile is disabled + security.hideProcessInformation = true; + # Tor services.tor = { enable = true; From 6a8e29e0164bf4f4d2bf06595effa7e340f8e32f Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Mon, 27 Jul 2020 18:08:38 +0000 Subject: [PATCH 2/2] tests: add dbus-hardening and hideProcessInformation --- test/scenarios/default.py | 7 +++++++ test/scenarios/withnetns.py | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/test/scenarios/default.py b/test/scenarios/default.py index 19375a1..0d6c4c3 100644 --- a/test/scenarios/default.py +++ b/test/scenarios/default.py @@ -51,6 +51,13 @@ assert_matches("curl -L localhost/store", "tshirt") machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist")) assert_no_failure("bitcoind-import-banlist") +# test that `systemctl status` can't leak credentials +assert_matches( + "sudo -u electrs systemctl status clightning 2>&1 >/dev/null", + "Failed to dump process list for 'clightning.service', ignoring: Access denied", +) +machine.succeed("grep -Fq hidepid=2 /proc/mounts") + ### Additional tests # Current time in µs diff --git a/test/scenarios/withnetns.py b/test/scenarios/withnetns.py index 99d8d73..d07480b 100644 --- a/test/scenarios/withnetns.py +++ b/test/scenarios/withnetns.py @@ -113,6 +113,13 @@ assert_matches_exactly( # test that netns-exec can not be executed by users that are not operator machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a") +# test that `systemctl status` can't leak credentials +assert_matches( + "sudo -u electrs systemctl status clightning 2>&1 >/dev/null", + "Failed to dump process list for 'clightning.service', ignoring: Access denied", +) +machine.succeed("grep -Fq hidepid=2 /proc/mounts") + ### Additional tests # Current time in µs