FS#60669 - [gitea] systemd service hardening
Attached to Project:
Community Packages
Opened by Bruno Pagani (ArchangeGabriel) - Thursday, 01 November 2018, 14:07 GMT
Last edited by Jelle van der Waa (jelly) - Sunday, 03 September 2023, 09:59 GMT
Opened by Bruno Pagani (ArchangeGabriel) - Thursday, 01 November 2018, 14:07 GMT
Last edited by Jelle van der Waa (jelly) - Sunday, 03 September 2023, 09:59 GMT
|
Details
They are three things we need to investigate:
1. Further restricting syscall (currently only using the very generic @system-service). 2. Possible use of RestrictNamespaces? 3. Why setting SecureBits=noroot-locked results in: ``` Failed to set process secure bits: Operation not permitted Failed at step SECUREBITS spawning /usr/bin/gitea: Operation not permitted Main process exited, code=exited, status=213/SECUREBITS ``` I’m opening this ticket so that we keep track of this. |
This task depends upon
Closed by Jelle van der Waa (jelly)
Sunday, 03 September 2023, 09:59 GMT
Reason for closing: Implemented
Additional comments about closing: Some hardening has been implemented.
Sunday, 03 September 2023, 09:59 GMT
Reason for closing: Implemented
Additional comments about closing: Some hardening has been implemented.
I did some quick and dirty testing to disable some rules in the service file and setcap CAP_NET_BIND_SERVICE:
```
AmbientCapabilities=CAP_NET_BIND_SERVICE
#CapabilityBoundingSet=
#NoNewPrivileges=True
#PrivateUsers=true
#PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ProtectControlGroups=yes
#ProtectKernelTunables=true
#ProtectKernelModules=yes
ReadWritePaths=/etc/gitea/app.ini /var/lib/gitea
#LockPersonality=true
#MemoryDenyWriteExecute=true
#RestrictRealtime=true
#SystemCallArchitectures=native
#SystemCallFilter=@system-service
```
(not sure what can be done about this, just wanted to make you aware of this use case while you are working on this)
You don’t need to comment so many options btw, AmbientCapabilities=CAP_NET_BIND_SERVICE (and maybe the same for CapabilityBoundingSet=) should be enough.
That being said, you don’t need to use the builtin SSH server on port 22 to have pretty clone URLs, you can just use the normal sshd service on your system. But maybe you don’t run it on port 22?
A cleaner solution in `/etc/systemd/system/gitea.service.d/override.conf`:
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
PrivateUsers=false
If I don't override PrivateUsers, gitea can't bind the port. I can add this to the wiki.
I’ve added the override to the wiki. ;) Maybe we should move the SSH setup to its own section, and have the built-in SSH setup described there too.
I ran into two different problems and fixed them:
- Overriding PrivateUsers to false, fixed the first problem, as you mentioned in the comments and in the wiki (forgot to take a look at).
- I had to reset the SystemCallFilter and switch from whitelist to blacklist again, since the @system-service call filter was only recently introduced (systemd 2.39, June 2018). I am stuck at a slightly older systemd version. Overriding the SystemCallFilter is enough, so I can fully migrate from AUR to community version.
=> Commit: https://github.com/systemd/systemd/commit/705268414f6ba6aa96c56d6c39b5ebf74426e847#diff-163053d4ffcb73ea2816b74099583b2a
Just to inform you about the status of my particular issue.
Note that regarding SystemCallFilter, the idea is to reduce the white list as much as possible using at least less groups than what is included in @system-service (and ideally whitelisting only required calls, but that is a lot of work). I did not do so yet because this requires a lot of time to investigate what is required, something I don’t have currently.
Is it an option to add systemd (239.0+) as a dependency or optional dependency to make users aware?
Or is it a convention for a rolling-release OS like Arch?
https://github.com/go-gitea/gitea/blob/master/modules/setting/setting.go#L859
This leads to a rather unobvious crash-on-start.
It's possible there's a feasible workaround, but after a few hours of debugging, the simplest solution I've found is to just disable ProtectHome. There shouldn't be anything important in /home/git/ on most systems besides .ssh/authorized_keys anyways, and gitea needs to be able to write that file.
On the admin dashboard, the option 'Resynchronize pre-receive, update and post-receive hooks of all repositories.' failed due to the file system of my git root being read-only to the gitea process.
By using ProtectSystem=full, this problem went away.
@mvdnes: If you could extend the wiki page regarding configuring another repo location under “Tips and tricks”, that would be welcome.
I am too not binding ssh to port 22.
I am currently trying the override systemd conf. I am using systemd 245.5-2 and gitea 1.11.4-2.
Info:
https://github.com/go-gitea/gitea/issues/9792
https://wiki.archlinux.org/index.php/Gitea#Process_dumped_core_on_ArchLinux_ARM