Hi Michael,
I've installed caRepeater as a systemd service at boot time
as private user not root on RHEL8 (see below):
ImYourMasterAndYouMySlave #> cat caRepeater.service
#
# Linux systemd service file for the EPICS CA Repeater
#
# To install this file, as root:
# cp caRepeater.service /etc/systemd/system
# chmod 664 /etc/systemd/system/caRepeater.service
# systemctl daemon-reload
# systemctl enable caRepeater
# systemctl start caRepeater
#
# To check the status:
# systemctl status caRepeater
[Unit]
Description=EPICS CA Repeater
Requires=multi-user.target
After=multi-user.target
[Service]
ExecStart=/opt/epics/R3.15.5/base/bin/linux-x86_64/caRepeater
Restart=on-failure
User=epics2
[Install]
WantedBy=multi-user.target
On 5/30/21 7:15 AM, Michael Davidsaver via Tech-talk wrote:
CAUTION: *** EMAIL ORIGINATED FROM OUTSIDE THE ORGANIZATION. Please do not click links or open attachments unless you know the contents are safe. Verify that you recognize sender email address before clicking any link or attachment. DO NOT enter/change any password when clicking on a link. ***
On 5/24/21 9:33 AM, Johnson, Andrew N. wrote:
On May 23, 2021, at 9:57 AM, Michael Davidsaver via Tech-talk <tech-talk at aps.anl.gov <mailto:tech-talk at aps.anl.gov>> wrote:
The caRepeater.service currently included in Base is in need of improvement.
eg. to not run as root.
That’s about the one thing that it /doesn’t/ do, line 22 <https://github.com/epics-base/epics-base/blob/b777233efb06fa4e988c4f0738b0270dd3d095a3/modules/ca/src/client/caRepeater.service@#L22> configures it to run as daemon:
Daemons can (and imo should) be constrained to prevent unnecessary operations.
eg. disallow filesystem writes with "ProtectSystem=strict" when run as root.
Or "ProtectHome=true" "PrivateTmp=true" to prevent snooping.
This is an expression of the idea of defense in depth, and is generally seen
as good practice these days. Especially for a network service.
*tux% *ps -ef | grep caRepeater
daemon 2255 1 0 Apr21 ? 00:02:51 /usr/bin/*caRepeater*
*tux% *systemctl status caRepeater.service
*●*caRepeater.service - EPICS CA Repeater
Loaded: loaded (/usr/lib/systemd/system/caRepeater.service; enabled; vendor preset: disabled)
Active: *active (running)*since Wed 2021-04-21 09:03:16 CDT; 1 months 2 days ago
Main PID: 2255 (caRepeater)
Tasks: 1
CGroup: /system.slice/caRepeater.service
└─2255 /usr/bin/caRepeater
I’m not saying it couldn’t be significantly improved <https://www.redhat.com/sysadmin/systemd-secure-services> though:
*$ *systemd-analyze security caRepeater.service
NAME DESCRIPTION EXPOSURE
*✗*PrivateNetwork= Service has access to the host's network 0.5
*✓*User=/DynamicUser= Service runs under a static non-root user identity
*✗*CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID identities/capabilities 0.3
*✗*CapabilityBoundingSet=~CAP_SYS_ADMIN Service has administrator privileges 0.3
*✗*CapabilityBoundingSet=~CAP_SYS_PTRACE Service has ptrace() debugging abilities 0.3
*✗*RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
*✗*RestrictNamespaces=~CLONE_NEWUSER Service may create user namespaces 0.3
*✗*RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3
*✗*CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service may change file ownership/access mode/capabilities unrestricted 0.2
*✗*CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service may override UNIX file/IPC permission checks 0.2
*✗*CapabilityBoundingSet=~CAP_NET_ADMIN Service has network configuration privileges 0.2
*✗*CapabilityBoundingSet=~CAP_RAWIO Service has raw I/O access 0.2
*✗*CapabilityBoundingSet=~CAP_SYS_MODULE Service may load kernel modules 0.2
*✗*CapabilityBoundingSet=~CAP_SYS_TIME Service processes may change the system clock 0.2
*✗*DeviceAllow= Service has no device ACL 0.2
*✗*IPAddressDeny= Service does not define an IP address whitelist 0.2
*✓*KeyringMode= Service doesn't share key material with other services
*✗*NoNewPrivileges= Service processes may acquire new privileges 0.2
*✓*NotifyAccess= Service child processes cannot alter service state
*✗*PrivateDevices= Service potentially has access to hardware devices 0.2
*✗*PrivateMounts= Service may install system mounts 0.2
*✗*PrivateTmp= Service has access to other software's temporary files 0.2
*✗*PrivateUsers= Service has access to other users 0.2
*✗*ProtectControlGroups= Service may modify to the control group file system 0.2
*✗*ProtectHome= Service has full access to home directories 0.2
*✗*ProtectKernelModules= Service may load or read kernel modules 0.2
*✗*ProtectKernelTunables= Service may alter kernel tunables 0.2
*✗*ProtectSystem= Service has full access the OS file hierarchy 0.2
*✗*RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2
*✗*RestrictSUIDSGID= Service may create SUID/SGID files 0.2
*✗*SystemCallArchitectures= Service may execute system calls with all ABIs 0.2
*✗*SystemCallFilter=~@clock Service does not filter system calls 0.2
*✗*SystemCallFilter=~@debug Service does not filter system calls 0.2
*✗*SystemCallFilter=~@module Service does not filter system calls 0.2
*✗*SystemCallFilter=~@mount Service does not filter system calls 0.2
*✗*SystemCallFilter=~@raw-io Service does not filter system calls 0.2
*✗*SystemCallFilter=~@reboot Service does not filter system calls 0.2
*✗*SystemCallFilter=~@swap Service does not filter system calls 0.2
*✗*SystemCallFilter=~@privileged Service does not filter system calls 0.2
*✗*SystemCallFilter=~@resources Service does not filter system calls 0.2
*✓*AmbientCapabilities= Service process does not receive ambient capabilities
*✗*CapabilityBoundingSet=~CAP_AUDIT_* Service has audit subsystem access 0.1
*✗*CapabilityBoundingSet=~CAP_KILL Service may send UNIX signals to arbitrary processes 0.1
*✗*CapabilityBoundingSet=~CAP_MKNOD Service may create device nodes 0.1
*✗*CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1
*✗*CapabilityBoundingSet=~CAP_SYSLOG Service has access to kernel logging 0.1
*✗*CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has privileges to change resource use parameters 0.1
*✗*RestrictNamespaces=~CLONE_NEWCGROUP Service may create cgroup namespaces 0.1
*✗*RestrictNamespaces=~CLONE_NEWIPC Service may create IPC namespaces 0.1
*✗*RestrictNamespaces=~CLONE_NEWNET Service may create network namespaces 0.1
*✗*RestrictNamespaces=~CLONE_NEWNS Service may create file system namespaces 0.1
*✗*RestrictNamespaces=~CLONE_NEWPID Service may create process namespaces 0.1
*✗*RestrictRealtime= Service may acquire realtime scheduling 0.1
*✗*SystemCallFilter=~@cpu-emulation Service does not filter system calls 0.1
*✗*SystemCallFilter=~@obsolete Service does not filter system calls 0.1
*✗*RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
*✗*RootDirectory=/RootImage= Service runs within the host's root directory 0.1
*✓*SupplementaryGroups= Service has no supplementary groups
*✗*CapabilityBoundingSet=~CAP_MAC_* Service may adjust SMACK MAC 0.1
*✗*CapabilityBoundingSet=~CAP_SYS_BOOT Service may issue reboot() 0.1
*✓*Delegate= Service does not maintain its own delegated control group subtree
*✗*LockPersonality= Service may change ABI personality 0.1
*✗*MemoryDenyWriteExecute= Service may create writable executable memory mappings 0.1
*✗*RemoveIPC= Service user may leave SysV IPC objects around 0.1
*✗*RestrictNamespaces=~CLONE_NEWUTS Service may create hostname namespaces 0.1
*✗*UMask= Files created by service are world-readable by default 0.1
*✗*CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service may mark files immutable 0.1
*✗*CapabilityBoundingSet=~CAP_IPC_LOCK Service may lock memory into RAM 0.1
*✗*CapabilityBoundingSet=~CAP_SYS_CHROOT Service may issue chroot() 0.1
*✗*CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service may establish wake locks 0.1
*✗*CapabilityBoundingSet=~CAP_LEASE Service may create file leases 0.1
*✗*CapabilityBoundingSet=~CAP_SYS_PACCT Service may use acct() 0.1
*✗*CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service may issue vhangup() 0.1
*✗*CapabilityBoundingSet=~CAP_WAKE_ALARM Service may program timers that wake up the system 0.1
*✗*RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
→ *Overall exposure level for caRepeater.service*: *9.1 UNSAFE*😨
- Andrew
--
Complexity comes for free, simplicity you have to work for.
- References:
- caRepeater w/ systemd? Michael Davidsaver via Tech-talk
- Re: caRepeater w/ systemd? Johnson, Andrew N. via Tech-talk
- Re: caRepeater w/ systemd? Michael Davidsaver via Tech-talk
- Navigate by Date:
- Prev:
Re: Modbus & asynManager::queueLockPort queueRequest failed: port not connected Mark Rivers via Tech-talk
- Next:
Re: using autosave, iocInit hangs Heinz Junkes via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
<2021>
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: caRepeater w/ systemd? Michael Davidsaver via Tech-talk
- Next:
using autosave, iocInit hangs junkes via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
<2021>
2022
2023
2024
|