FS#61089 - [grafana] apply generic systemd hardening
Attached to Project:
Community Packages
Opened by Jelle van der Waa (jelly) - Saturday, 15 December 2018, 17:54 GMT
Last edited by Jelle van der Waa (jelly) - Saturday, 13 February 2021, 12:50 GMT
Opened by Jelle van der Waa (jelly) - Saturday, 15 December 2018, 17:54 GMT
Last edited by Jelle van der Waa (jelly) - Saturday, 13 February 2021, 12:50 GMT
|
Details
Description:
Please harden our provided systemd service, it should be possible to at least set a few of these options. NoNewPrivileges=yes ProtectSystem=strict ProtectHome=true PrivateTmp=true PrivateDevices=true ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true |
This task depends upon
Closed by Jelle van der Waa (jelly)
Saturday, 13 February 2021, 12:50 GMT
Reason for closing: Implemented
Additional comments about closing: Hardening has been added to grafana.
Saturday, 13 February 2021, 12:50 GMT
Reason for closing: Implemented
Additional comments about closing: Hardening has been added to grafana.
https://github.com/grafana/grafana/blob/master/packaging/deb/systemd/grafana-server.service
https://github.com/grafana/grafana/blob/master/packaging/rpm/systemd/grafana-server.service
Please discuss with upstream, the idea of consolidating this messy set of copy-pasted files with extremely trivial variations, since the sysconfig file variables are only ever used in order to change the location of the --config file.
It makes no sense **even on Debian or Fedora** for the sysconfig/default file to set the default locations for things that are already specified in grafana.ini, nor does it make sense to have the pidfile be configurable in that manner when systemd has mandatory XDG_RUNTIME_DIR intended for this explicit use case.
Eli, If you have time to start discussion with them, do it. You can act on my behalf, or, moreover, if you are interested to take over maintainership of grafana, let me known.
```
Dec 26 12:54:33 santa grafana-server[4983]: t=2018-12-26T12:54:33+0000 lvl=eror msg="Failed to start session" logger=con
text error="open /usr/share/grafana/data/sessions/d/6/d621c876cb06c63f: read-only file system"
Dec 26 12:54:33 santa grafana-server[4983]: t=2018-12-26T12:54:33+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login status=302 remote_addr=127.0.0.1 time_ms=12 size=35 referer=https://localhost/monitoring/login
Dec 26 12:54:33 santa grafana-server[4983]: t=2018-12-26T12:54:33+0000 lvl=eror msg="Failed to start session" logger=context error="open /usr/share/grafana/data/sessions/0/a/0a8c315abf9936a0: read-only file system"
Dec 26 12:54:33 santa grafana-server[4983]: t=2018-12-26T12:54:33+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/ status=302 remote_addr=[::1] time_ms=0 size=40 referer=https://localhost/monitoring/login
Dec 26 12:54:33 santa grafana-server[4983]: t=2018-12-26T12:54:33+0000 lvl=eror msg="Failed to start session" logger=context error="open /usr/share/grafana/data/sessions/c/f/cfff0c0f78eadbc0: read-only file system"
Dec 26 12:54:33 santa grafana-server[4983]: t=2018-12-26T12:54:33+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login status=302 remote_addr=127.0.0.1 time_ms=6 size=35 referer=https://localhost/monitoring/login
Dec 26 12:54:33 santa grafana-server[4983]: t=2018-12-26T12:54:33+0000 lvl=eror msg="Failed to start session" logger=context error="open /usr/share/grafana/data/sessions/5/d/5df761d3e70ef6f7: read-only file system"
Dec 26 12:54:33 santa grafana-server[4983]: t=2018-12-26T12:54:33+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/ status=302 remote_addr=[::1] time_ms=0 size=40 referer=https://localhost/monitoring/login
Dec 26 12:54:33 santa grafana-server[4983]: t=2018-12-26T12:54:33+0000 lvl=eror msg="Failed to start session" logger=context error="open /usr/share/grafana/data/sessions/3/2/32526567a33da992: read-only file system"
Dec 26 12:54:34 santa grafana-server[4983]: t=2018-12-26T12:54:34+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login status=302 remote_addr=127.0.0.1 time_ms=7 size=35 referer=https://localhost/monitoring/login
```
LogsDirectory=grafana
StateDirectory=grafana
to the systemd unit fixes this.
LogsDirectory=grafana
StateDirectory=grafana
Dec 31 09:32:43 calcium grafana-server[22809]: FileLogWriter("/usr/share/grafana/data/log/grafana.log"): Rotate: rename /usr/share/grafana/data/log/grafana.log /usr/share/grafana/data/log/grafana.log.2018-12-31.002: read-only file system
I'm curious about the LogsDirectory/StateDirectory directives fixing the path access. I wanna test that.
So, I patched the default.ini with few sed lines (instead of adding our default path on the Execstart=).
I'm balanced between:
- switch from ProtectSystem=strict to ProtectSystem=full.
Because Grafana is legitimate to write on the filesystem where it is configured, except on protected paths (i.e: /etc, /usr, /home, /dev, etc).
So, if you want your data in /srv/grafana or /mnt/nfs/grafana, that perfectly allowed by only changing the grafana configuration.
But, if you wan to do dangerous things, like storing you data in /usr/share/grafana/data, you have to deal with a higher level security system.
- Keep ProtectSystem=strict and allow read-write on specific directories (i.e: /var/{lib,log}/grafana).
This offer, by default, a stronger configuration of grafana by allowing him to write only in its default directories.
So, it's offer a additional layer of security on grafana code to not overwrite data in others directory, which may not contains grafana data.
But, the grafana configuration file is no more the (only) place where we define grafana paths, as long as they are legitimate, so it's not a free security.
We don't have an Arch policy about which part of the filesystem should be set read-only or not with daemon. If you have opinions about this let me known.
To fix the broken situation, I'll pushed a package with correct default paths and ProtectSystem=full until there is more discussion.