diff options
| author | Philip Withnall <withnall@endlessm.com> | 2019-01-16 14:24:51 +0000 |
|---|---|---|
| committer | Ray Strode <halfline@gmail.com> | 2019-05-07 15:07:28 +0000 |
| commit | 0e712e935abd26499ff5995ab363e5bfd9ee7c4c (patch) | |
| tree | 2b490e83247f27d19283aecf7d4f76ceb8df7eb8 | |
| parent | 152b845bbd3ca2a64516691493a160825f1a2046 (diff) | |
data: Tighten up systemd sandboxing of accounts-daemon.service
Tighten up the sandboxing of the daemon, paying particular attention to
file system access. Further work could be done to make the daemon run as
a non-root user (User=/Group=/DynamicUser=), drop capabilities
(CapabilityBoundingSet=) and restrict system calls (SystemCallFilter=).
This is a reasonable starting point, though. It has been tested with
adding, modifying and deleting users, and reading/writing user extension
data. Testing was done on a Fedora and a Debian-based system.
The useradd/userdel/usermod subprocesses require a lot of permissions
which the accounts-service daemon itself doesn’t. In future, it might
make sense to run them in a separate privilege-escalated sandbox, and
further restrict the permissions of the accounts-service daemon itself.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
https://gitlab.freedesktop.org/accountsservice/accountsservice/merge_requests/22
| -rw-r--r-- | data/accounts-daemon.service.in | 47 | ||||
| -rw-r--r-- | data/meson.build | 4 |
2 files changed, 51 insertions, 0 deletions
diff --git a/data/accounts-daemon.service.in b/data/accounts-daemon.service.in index b3ef56e..46c65d4 100644 --- a/data/accounts-daemon.service.in +++ b/data/accounts-daemon.service.in @@ -15,6 +15,53 @@ Environment=GVFS_DISABLE_FUSE=1 Environment=GIO_USE_VFS=local Environment=GVFS_REMOTE_VOLUME_MONITOR_IGNORE=1 +StateDirectory=AccountsService +StateDirectoryMode=0775 + +ProtectSystem=strict +PrivateDevices=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +# Write access is needed to create home directories: +ProtectHome=false +PrivateTmp=true +PrivateNetwork=true +# We need access to the canonical user database: +PrivateUsers=false +# For D-Bus: +RestrictAddressFamilies=AF_UNIX +SystemCallArchitectures=native +SystemCallFilter=~@mount +RestrictNamespaces=true +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RemoveIPC=true + +# In addition to the below paths, +# - @localstatedir@/lib/AccountsService/users/ and +# - @localstatedir@/lib/AccountsService/icons/ +# are read/written by the daemon. See StateDirectory= above. +# +# The paths in /etc are not directly modified by AccountsService, but by +# usermod, which it spawns. +# +# The paths in /var/log and /var/mail are touched by useradd/userdel when adding +# or deleting users. +ReadWritePaths=\ + -@gdm_conf_file@ \ + /etc/ \ + -/proc/self/loginuid \ + -/var/log/lastlog \ + -/var/log/tallylog \ + -/var/mail/ +ReadOnlyPaths=\ + @datadir@/accountsservice/interfaces/ \ + @datadir@/dbus-1/interfaces/ \ + @path_wtmp@ \ + /run/systemd/seats/ + [Install] # We pull this in by graphical.target instead of waiting for the bus # activation, to speed things up a little: gdm uses this anyway so it is nice diff --git a/data/meson.build b/data/meson.build index 4987937..79f7651 100644 --- a/data/meson.build +++ b/data/meson.build @@ -14,7 +14,11 @@ install_data( ) service_conf = configuration_data() +service_conf.set('datadir', act_datadir) +service_conf.set('gdm_conf_file', gdm_conf_file) service_conf.set('libexecdir', act_libexecdir) +service_conf.set('localstatedir', act_localstatedir) +service_conf.set('path_wtmp', path_wtmp) service = act_namespace + '.service' |