mirror of
https://github.com/fort-nix/nix-bitcoin.git
synced 2024-11-22 22:33:46 +03:00
security: enable full systemd-status for group 'proc'
Previously, systemd-status was broken for all users except root. Use a 'default' deny policy, which is overridden for group 'proc'. Add operator to group 'proc'. Also, remove redundant XML boilerplate.
This commit is contained in:
parent
96ea2e671c
commit
588a0b2405
@ -227,6 +227,7 @@ in {
|
||||
isNormalUser = true;
|
||||
extraGroups = [
|
||||
"systemd-journal"
|
||||
"proc" # Enable full /proc access and systemd-status
|
||||
cfg.bitcoind.group
|
||||
]
|
||||
++ (optionals cfg.clightning.enable [ "clightning" ])
|
||||
|
@ -7,21 +7,27 @@
|
||||
|
||||
# This mitigates a systemd security issue leaking (sub)process
|
||||
# command lines.
|
||||
# Only allow root to retrieve systemd unit information like
|
||||
# Only allow users with group 'proc' to retrieve systemd unit information like
|
||||
# cgroup paths (i.e. (sub)process command lines) via D-Bus.
|
||||
# This D-Bus call is used by `systemctl status`.
|
||||
services.dbus.packages = [ (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
|
||||
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
|
||||
|
||||
<!DOCTYPE busconfig PUBLIC
|
||||
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
|
||||
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
||||
|
||||
<policy context="mandatory">
|
||||
<deny send_destination="org.freedesktop.systemd1"
|
||||
send_interface="org.freedesktop.systemd1.Manager"
|
||||
send_member="GetUnitProcesses"/>
|
||||
</policy>
|
||||
</busconfig>
|
||||
'') ];
|
||||
services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy
|
||||
(pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
|
||||
<busconfig>
|
||||
<policy context="default">
|
||||
<deny
|
||||
send_destination="org.freedesktop.systemd1"
|
||||
send_interface="org.freedesktop.systemd1.Manager"
|
||||
send_member="GetUnitProcesses"
|
||||
/>
|
||||
</policy>
|
||||
<policy group="proc">
|
||||
<allow
|
||||
send_destination="org.freedesktop.systemd1"
|
||||
send_interface="org.freedesktop.systemd1.Manager"
|
||||
send_member="GetUnitProcesses"
|
||||
/>
|
||||
</policy>
|
||||
</busconfig>
|
||||
'')
|
||||
];
|
||||
}
|
||||
|
@ -103,11 +103,13 @@ def run_tests(extra_tests):
|
||||
machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
|
||||
assert_no_failure("bitcoind-import-banlist")
|
||||
|
||||
# test that `systemctl status` can't leak credentials
|
||||
# `systemctl status` run by unprivileged users shouldn't leak cgroup info
|
||||
assert_matches(
|
||||
"sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
|
||||
"Failed to dump process list for 'clightning.service', ignoring: Access denied",
|
||||
)
|
||||
# The 'operator' with group 'proc' has full access
|
||||
assert_full_match("sudo -u operator systemctl status clightning 2>&1 >/dev/null", "")
|
||||
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
|
||||
|
||||
### Additional tests
|
||||
|
Loading…
Reference in New Issue
Block a user