:: [DNG] Introducing xchpst for harden…
Pàgina inicial
Aquest missatge és part del següent fil:
Ml'arbre de fils complet ordenat per data
 
 
Delete this message
Reply to this message
Autor: Andrew Bower
Data:  
A: dng
Assumpte: [DNG] Introducing xchpst for hardening runit services
Hi fellow Devuan users,

May I introduce to you a project I have been working on over Christmas
to help users of the runit supervision system to harden runscripts using
Linux namespaces and capabilities?

The runit package ships with an all-in-one tool called 'chpst' (change
process state) that can change various attributes in one shot, such as
ulimits, chroot and user in a succinct command line to launch the
service.

'xchpst' is written from scratch to be backwards compatible with 'chpst'
and extends the tool with options to isolate the target service using
namespaces and can retain capabilities while dropping to a non-root
user or constrain the bounding set of capabilities for daemons that can
drop their own user. For example: 

exec xchpst --new-root --user-ns --private-tmp --private-run \
            --ro-sys -u gerbera:gerbera /usr/bin/gerbera $DAEMON_ARGS


exec xchpst --private-tmp --ro-sys --cap-bs-keep \
    CAP_BLOCK_SUSPEND,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_LEASE,CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN,CAP_SYS_RESOURCE,CAP_SYSLOG \
    /usr/sbin/rsyslogd -n -iNONE


xchpst --caps-keep=CAP_SYS_TIME -u ntp:ntp capsh --print

I have been thinking for a while that it might be wise for the
non-monolithic init systems to start shipping with scripts that
demonstrate the use of hardening options that are becoming more
widespread elsewhere, because the feature/security gap could attract
criticism. I treated the discussion in the following thread as a call
to action!

"we could have a release goal to set a certain bar in terms of
hardening features for trixie+1"
<https://lists.debian.org/debian-devel/2024/12/msg00371.html>

The xchpst source is available at <https://github.com/andy-bower/xchpst>
where I have tagged a release 0.1.0. The interface for versions numbered
0.x is volatile and subject to rapid change.

Built artefacts for Devuan are available along with renderings of the
man page at <https://sw.cdefg.uk/xchpst/xchpst-0.1.0/>. The man page is
the principal documentation.

I would be very grateful for feedback on my proposal, so please do get
in touch! In particular I am interested in feedback on:

1) Is this a useful idea?
2) Do you have a top feature request?
3) Would you be prepared to do some code review?

There is a huge range of options that could be added but I'd like to
focus right now on the most useful set. The idea isn't to mirror
systemd's option set or even to mirror the exact semantics of their
options (as the implication would be that xchpst would always change to
match them).

The major challenge for extending this tool will be a test suite that
catches regressions in difference combinations of option. The different
hardening options interact heavily and ordering is quite crucial.

This tool is aimed at runit. I can imagine it could be made to work with
start-stop-daemon if anyone found that helpful. In some ways this rubs
up against the minimalist principles of runit. What do you think?

I hope this is helpful to someone!

Andrew
Aquest missatge es va enviar a les següents llistes de correu:
dng
Informació sobre la llista de correu | Missatges propers		<-Re: [DNG] I'd like to hear more about the Xaw widget setRe: [DNG] I'd like to hear more about the Xaw widget set->

Donate to Dyne.org

dyne.org open discussions
administrat per dyne.org hackers		Lurker (versió 2.3)