security: enable full systemd-status for group 'proc'
Previously, systemd-status was broken for all users except root. Use a 'default' deny policy, which is overridden for group 'proc'. Add operator to group 'proc'. Also, remove redundant XML boilerplate.
This commit is contained in:
parent
96ea2e671c
commit
588a0b2405
@ -227,6 +227,7 @@ in {
|
|||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = [
|
extraGroups = [
|
||||||
"systemd-journal"
|
"systemd-journal"
|
||||||
|
"proc" # Enable full /proc access and systemd-status
|
||||||
cfg.bitcoind.group
|
cfg.bitcoind.group
|
||||||
]
|
]
|
||||||
++ (optionals cfg.clightning.enable [ "clightning" ])
|
++ (optionals cfg.clightning.enable [ "clightning" ])
|
||||||
|
@ -7,21 +7,27 @@
|
|||||||
|
|
||||||
# This mitigates a systemd security issue leaking (sub)process
|
# This mitigates a systemd security issue leaking (sub)process
|
||||||
# command lines.
|
# command lines.
|
||||||
# Only allow root to retrieve systemd unit information like
|
# Only allow users with group 'proc' to retrieve systemd unit information like
|
||||||
# cgroup paths (i.e. (sub)process command lines) via D-Bus.
|
# cgroup paths (i.e. (sub)process command lines) via D-Bus.
|
||||||
# This D-Bus call is used by `systemctl status`.
|
# This D-Bus call is used by `systemctl status`.
|
||||||
services.dbus.packages = [ (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
|
services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy
|
||||||
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
|
(pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
|
||||||
|
<busconfig>
|
||||||
<!DOCTYPE busconfig PUBLIC
|
<policy context="default">
|
||||||
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
|
<deny
|
||||||
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
send_destination="org.freedesktop.systemd1"
|
||||||
|
|
||||||
<policy context="mandatory">
|
|
||||||
<deny send_destination="org.freedesktop.systemd1"
|
|
||||||
send_interface="org.freedesktop.systemd1.Manager"
|
send_interface="org.freedesktop.systemd1.Manager"
|
||||||
send_member="GetUnitProcesses"/>
|
send_member="GetUnitProcesses"
|
||||||
|
/>
|
||||||
|
</policy>
|
||||||
|
<policy group="proc">
|
||||||
|
<allow
|
||||||
|
send_destination="org.freedesktop.systemd1"
|
||||||
|
send_interface="org.freedesktop.systemd1.Manager"
|
||||||
|
send_member="GetUnitProcesses"
|
||||||
|
/>
|
||||||
</policy>
|
</policy>
|
||||||
</busconfig>
|
</busconfig>
|
||||||
'') ];
|
'')
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
@ -103,11 +103,13 @@ def run_tests(extra_tests):
|
|||||||
machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
|
machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
|
||||||
assert_no_failure("bitcoind-import-banlist")
|
assert_no_failure("bitcoind-import-banlist")
|
||||||
|
|
||||||
# test that `systemctl status` can't leak credentials
|
# `systemctl status` run by unprivileged users shouldn't leak cgroup info
|
||||||
assert_matches(
|
assert_matches(
|
||||||
"sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
|
"sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
|
||||||
"Failed to dump process list for 'clightning.service', ignoring: Access denied",
|
"Failed to dump process list for 'clightning.service', ignoring: Access denied",
|
||||||
)
|
)
|
||||||
|
# The 'operator' with group 'proc' has full access
|
||||||
|
assert_full_match("sudo -u operator systemctl status clightning 2>&1 >/dev/null", "")
|
||||||
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
|
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
|
||||||
|
|
||||||
### Additional tests
|
### Additional tests
|
||||||
|
Loading…
Reference in New Issue
Block a user