Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#76893 - [grafana-agent] ProtectHome=true systemd unit option is overly restrictive

Attached to Project: Community Packages
Opened by Giovanni Bottaro (bgiovanni) - Tuesday, 20 December 2022, 23:09 GMT
Last edited by Toolybird (Toolybird) - Wednesday, 03 May 2023, 02:07 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Daurnimator (daurnimator)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The custom grafana-agent.service systemd unit file has the option ProtectHome set to true, according to the manual (https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=) when set to 'true' this causes the directories /home /root /run/user to become "inaccessible and empty for processes invoked by this unit".

I think this is wrong because under certain conditions it is realistically plausible to have some daemon/program running under a specific user which actually writes its own log files to the home directory of the user who is running it, and as a result grafana-agent should be able to scrape that log. Files which grafana-agent shouldn't be able to read are already protected with DAC anyway.

I'd advise to set the ProtectHome option to 'read-only' as grafana-agent shouldn't need to write to files in those directories. (As it already has its folder /var/lib/grafana-agent)
This task depends upon

Closed by  Toolybird (Toolybird)
Wednesday, 03 May 2023, 02:07 GMT
Reason for closing:  Not a bug
Additional comments about closing:  See PM's comment
Comment by Daurnimator (daurnimator) - Friday, 23 December 2022, 11:40 GMT
For the rare situations where someone may have log files in their home directory read by a *system* service, they can probably override ProtectHome to false?
(if you're unfamiliar with it, systemd units can have fields overriden by drop-in files)
Comment by Giovanni Bottaro (bgiovanni) - Friday, 23 December 2022, 13:36 GMT
Well, my use case was podman running in rootless mode under a specific user which implies podman writing container volumes (i.e. logs of a containerized webserver, ecc.) in the default location: <user_home>/.local/share/containers/storage/volumes/<container_volume/<files>, I also assume that one may also want to read logs produced by a systemd user service or other stuff.

It should also be noted that this behavior is also kind of unexpected/undocumented given that the systemd service files for rpm and deb packages in the grafana-agent github repository (which don't seem to apply any hardening at all) do not cause this restriction.
On the other hand, I'd like to remark that the only security benefit that option brings right know is against user misconfiguration of user directories permissions, because (afaik) for Arch they are by default "drwx------".

So far I've worked around this by adding the 'grafana-agent' user to the 'container' user group (whose files I want to be readable) and manually editing the the service file shipped by the package, because I didn't know it was possible to override unit options with drop-in files... I guess I'll use these from now on.

Loading...