On 5/24/21 9:33 AM, Johnson, Andrew N. wrote:
> On May 23, 2021, at 9:57 AM, Michael Davidsaver via Tech-talk <tech-talk at aps.anl.gov <mailto:tech-talk at aps.anl.gov>> wrote:
>>
>> The caRepeater.service currently included in Base is in need of improvement.
>> eg. to not run as root.
>
> That’s about the one thing that it /doesn’t/ do, line 22 <https://github.com/epics-base/epics-base/blob/b777233efb06fa4e988c4f0738b0270dd3d095a3/modules/ca/src/client/caRepeater.service@#L22> configures it to run as daemon:
Daemons can (and imo should) be constrained to prevent unnecessary operations.
eg. disallow filesystem writes with "ProtectSystem=strict" when run as root.
Or "ProtectHome=true" "PrivateTmp=true" to prevent snooping.
This is an expression of the idea of defense in depth, and is generally seen
as good practice these days. Especially for a network service.
>> *tux% *ps -ef | grep caRepeater
>> daemon 2255 1 0 Apr21 ? 00:02:51 /usr/bin/*caRepeater*
>> *tux% *systemctl status caRepeater.service
>> *●*caRepeater.service - EPICS CA Repeater
>> Loaded: loaded (/usr/lib/systemd/system/caRepeater.service; enabled; vendor preset: disabled)
>> Active: *active (running)*since Wed 2021-04-21 09:03:16 CDT; 1 months 2 days ago
>> Main PID: 2255 (caRepeater)
>> Tasks: 1
>> CGroup: /system.slice/caRepeater.service
>> └─2255 /usr/bin/caRepeater
>
> I’m not saying it couldn’t be significantly improved <https://www.redhat.com/sysadmin/systemd-secure-services> though:
>
>> *$ *systemd-analyze security caRepeater.service
>> NAME DESCRIPTION EXPOSURE
>> *✗*PrivateNetwork= Service has access to the host's network 0.5
>> *✓*User=/DynamicUser= Service runs under a static non-root user identity
>> *✗*CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID identities/capabilities 0.3
>> *✗*CapabilityBoundingSet=~CAP_SYS_ADMIN Service has administrator privileges 0.3
>> *✗*CapabilityBoundingSet=~CAP_SYS_PTRACE Service has ptrace() debugging abilities 0.3
>> *✗*RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
>> *✗*RestrictNamespaces=~CLONE_NEWUSER Service may create user namespaces 0.3
>> *✗*RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3
>> *✗*CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service may change file ownership/access mode/capabilities unrestricted 0.2
>> *✗*CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service may override UNIX file/IPC permission checks 0.2
>> *✗*CapabilityBoundingSet=~CAP_NET_ADMIN Service has network configuration privileges 0.2
>> *✗*CapabilityBoundingSet=~CAP_RAWIO Service has raw I/O access 0.2
>> *✗*CapabilityBoundingSet=~CAP_SYS_MODULE Service may load kernel modules 0.2
>> *✗*CapabilityBoundingSet=~CAP_SYS_TIME Service processes may change the system clock 0.2
>> *✗*DeviceAllow= Service has no device ACL 0.2
>> *✗*IPAddressDeny= Service does not define an IP address whitelist 0.2
>> *✓*KeyringMode= Service doesn't share key material with other services
>> *✗*NoNewPrivileges= Service processes may acquire new privileges 0.2
>> *✓*NotifyAccess= Service child processes cannot alter service state
>> *✗*PrivateDevices= Service potentially has access to hardware devices 0.2
>> *✗*PrivateMounts= Service may install system mounts 0.2
>> *✗*PrivateTmp= Service has access to other software's temporary files 0.2
>> *✗*PrivateUsers= Service has access to other users 0.2
>> *✗*ProtectControlGroups= Service may modify to the control group file system 0.2
>> *✗*ProtectHome= Service has full access to home directories 0.2
>> *✗*ProtectKernelModules= Service may load or read kernel modules 0.2
>> *✗*ProtectKernelTunables= Service may alter kernel tunables 0.2
>> *✗*ProtectSystem= Service has full access the OS file hierarchy 0.2
>> *✗*RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2
>> *✗*RestrictSUIDSGID= Service may create SUID/SGID files 0.2
>> *✗*SystemCallArchitectures= Service may execute system calls with all ABIs 0.2
>> *✗*SystemCallFilter=~@clock Service does not filter system calls 0.2
>> *✗*SystemCallFilter=~@debug Service does not filter system calls 0.2
>> *✗*SystemCallFilter=~@module Service does not filter system calls 0.2
>> *✗*SystemCallFilter=~@mount Service does not filter system calls 0.2
>> *✗*SystemCallFilter=~@raw-io Service does not filter system calls 0.2
>> *✗*SystemCallFilter=~@reboot Service does not filter system calls 0.2
>> *✗*SystemCallFilter=~@swap Service does not filter system calls 0.2
>> *✗*SystemCallFilter=~@privileged Service does not filter system calls 0.2
>> *✗*SystemCallFilter=~@resources Service does not filter system calls 0.2
>> *✓*AmbientCapabilities= Service process does not receive ambient capabilities
>> *✗*CapabilityBoundingSet=~CAP_AUDIT_* Service has audit subsystem access 0.1
>> *✗*CapabilityBoundingSet=~CAP_KILL Service may send UNIX signals to arbitrary processes 0.1
>> *✗*CapabilityBoundingSet=~CAP_MKNOD Service may create device nodes 0.1
>> *✗*CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1
>> *✗*CapabilityBoundingSet=~CAP_SYSLOG Service has access to kernel logging 0.1
>> *✗*CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has privileges to change resource use parameters 0.1
>> *✗*RestrictNamespaces=~CLONE_NEWCGROUP Service may create cgroup namespaces 0.1
>> *✗*RestrictNamespaces=~CLONE_NEWIPC Service may create IPC namespaces 0.1
>> *✗*RestrictNamespaces=~CLONE_NEWNET Service may create network namespaces 0.1
>> *✗*RestrictNamespaces=~CLONE_NEWNS Service may create file system namespaces 0.1
>> *✗*RestrictNamespaces=~CLONE_NEWPID Service may create process namespaces 0.1
>> *✗*RestrictRealtime= Service may acquire realtime scheduling 0.1
>> *✗*SystemCallFilter=~@cpu-emulation Service does not filter system calls 0.1
>> *✗*SystemCallFilter=~@obsolete Service does not filter system calls 0.1
>> *✗*RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
>> *✗*RootDirectory=/RootImage= Service runs within the host's root directory 0.1
>> *✓*SupplementaryGroups= Service has no supplementary groups
>> *✗*CapabilityBoundingSet=~CAP_MAC_* Service may adjust SMACK MAC 0.1
>> *✗*CapabilityBoundingSet=~CAP_SYS_BOOT Service may issue reboot() 0.1
>> *✓*Delegate= Service does not maintain its own delegated control group subtree
>> *✗*LockPersonality= Service may change ABI personality 0.1
>> *✗*MemoryDenyWriteExecute= Service may create writable executable memory mappings 0.1
>> *✗*RemoveIPC= Service user may leave SysV IPC objects around 0.1
>> *✗*RestrictNamespaces=~CLONE_NEWUTS Service may create hostname namespaces 0.1
>> *✗*UMask= Files created by service are world-readable by default 0.1
>> *✗*CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service may mark files immutable 0.1
>> *✗*CapabilityBoundingSet=~CAP_IPC_LOCK Service may lock memory into RAM 0.1
>> *✗*CapabilityBoundingSet=~CAP_SYS_CHROOT Service may issue chroot() 0.1
>> *✗*CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service may establish wake locks 0.1
>> *✗*CapabilityBoundingSet=~CAP_LEASE Service may create file leases 0.1
>> *✗*CapabilityBoundingSet=~CAP_SYS_PACCT Service may use acct() 0.1
>> *✗*CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service may issue vhangup() 0.1
>> *✗*CapabilityBoundingSet=~CAP_WAKE_ALARM Service may program timers that wake up the system 0.1
>> *✗*RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
>>
>> → *Overall exposure level for caRepeater.service*: *9.1 UNSAFE*😨
>
>
> - Andrew
>
> --
> Complexity comes for free, simplicity you have to work for.
>
- Replies:
- Re: caRepeater w/ systemd? Ernesto Paiser via Tech-talk
- References:
- caRepeater w/ systemd? Michael Davidsaver via Tech-talk
- Re: caRepeater w/ systemd? Johnson, Andrew N. via Tech-talk
- Navigate by Date:
- Prev:
Re: using autosave, iocInit hangs Michael Davidsaver via Tech-talk
- Next:
RE: Display Only Lock and/or pw protection for Phoebus Stainer Tom via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
<2021>
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: caRepeater w/ systemd? Johnson, Andrew N. via Tech-talk
- Next:
Re: caRepeater w/ systemd? Ernesto Paiser via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
<2021>
2022
2023
2024
|