Commit 0e712e93 authored by Philip Withnall's avatar Philip Withnall Committed by Ray Strode

data: Tighten up systemd sandboxing of accounts-daemon.service

Tighten up the sandboxing of the daemon, paying particular attention to
file system access. Further work could be done to make the daemon run as
a non-root user (User=/Group=/DynamicUser=), drop capabilities
(CapabilityBoundingSet=) and restrict system calls (SystemCallFilter=).

This is a reasonable starting point, though. It has been tested with
adding, modifying and deleting users, and reading/writing user extension
data. Testing was done on a Fedora and a Debian-based system.

The useradd/userdel/usermod subprocesses require a lot of permissions
which the accounts-service daemon itself doesn’t. In future, it might
make sense to run them in a separate privilege-escalated sandbox, and
further restrict the permissions of the accounts-service daemon itself.
Signed-off-by: Philip Withnall's avatarPhilip Withnall <withnall@endlessm.com>

!22
parent 152b845b
Pipeline #35588 passed with stage
in 1 minute and 15 seconds
...@@ -15,6 +15,53 @@ Environment=GVFS_DISABLE_FUSE=1 ...@@ -15,6 +15,53 @@ Environment=GVFS_DISABLE_FUSE=1
Environment=GIO_USE_VFS=local Environment=GIO_USE_VFS=local
Environment=GVFS_REMOTE_VOLUME_MONITOR_IGNORE=1 Environment=GVFS_REMOTE_VOLUME_MONITOR_IGNORE=1
StateDirectory=AccountsService
StateDirectoryMode=0775
ProtectSystem=strict
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
# Write access is needed to create home directories:
ProtectHome=false
PrivateTmp=true
PrivateNetwork=true
# We need access to the canonical user database:
PrivateUsers=false
# For D-Bus:
RestrictAddressFamilies=AF_UNIX
SystemCallArchitectures=native
SystemCallFilter=~@mount
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RemoveIPC=true
# In addition to the below paths,
# - @localstatedir@/lib/AccountsService/users/ and
# - @localstatedir@/lib/AccountsService/icons/
# are read/written by the daemon. See StateDirectory= above.
#
# The paths in /etc are not directly modified by AccountsService, but by
# usermod, which it spawns.
#
# The paths in /var/log and /var/mail are touched by useradd/userdel when adding
# or deleting users.
ReadWritePaths=\
-@gdm_conf_file@ \
/etc/ \
-/proc/self/loginuid \
-/var/log/lastlog \
-/var/log/tallylog \
-/var/mail/
ReadOnlyPaths=\
@datadir@/accountsservice/interfaces/ \
@datadir@/dbus-1/interfaces/ \
@path_wtmp@ \
/run/systemd/seats/
[Install] [Install]
# We pull this in by graphical.target instead of waiting for the bus # We pull this in by graphical.target instead of waiting for the bus
# activation, to speed things up a little: gdm uses this anyway so it is nice # activation, to speed things up a little: gdm uses this anyway so it is nice
......
...@@ -14,7 +14,11 @@ install_data( ...@@ -14,7 +14,11 @@ install_data(
) )
service_conf = configuration_data() service_conf = configuration_data()
service_conf.set('datadir', act_datadir)
service_conf.set('gdm_conf_file', gdm_conf_file)
service_conf.set('libexecdir', act_libexecdir) service_conf.set('libexecdir', act_libexecdir)
service_conf.set('localstatedir', act_localstatedir)
service_conf.set('path_wtmp', path_wtmp)
service = act_namespace + '.service' service = act_namespace + '.service'
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment