qbit/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/stargazer: harden systemd service

Browse Source
This commit is contained in:
gaykitty 2024-03-10 15:22:32 -04:00
parent 77430d388d
commit be1336d8b8
3 changed files with 44 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nixos/doc/manual/release-notes/rl-2411.section.md
View File

@ -235,6 +235,12 @@
for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured
data and the filesystem for blobs). data and the filesystem for blobs).
- The `stargazer` service has been hardened to improve security, but these
changes make break certain setups, particularly around traditional CGI.
- The `stargazer.allowCgiUser` option has been added, enabling
Stargazer's `cgi-user` option to work, which was previously broken.
- The `shiori` service now requires an HTTP secret value `SHIORI_HTTP_SECRET_KEY` to be provided via environment variable. The nixos module therefore, now provides an environmentFile option: - The `shiori` service now requires an HTTP secret value `SHIORI_HTTP_SECRET_KEY` to be provided via environment variable. The nixos module therefore, now provides an environmentFile option:
``` ```

38
nixos/modules/services/web-servers/stargazer.nix
View File

@ -225,6 +225,44 @@ in
"CAP_SETGID" "CAP_SETGID"
"CAP_SETUID" "CAP_SETUID"
]; ];
# Hardening
UMask = "0077";
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "full";
ProtectClock = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
PrivateDevices = true;
NoNewPrivileges = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
RestrictRealtime = true;
RemoveIPC = true;
CapabilityBoundingSet = [
"~CAP_SYS_PTRACE"
"~CAP_SYS_ADMIN"
"~CAP_SETPCAP"
"~CAP_SYS_TIME"
"~CAP_SYS_PACCT"
"~CAP_SYS_TTY_CONFIG "
"~CAP_SYS_CHROOT"
"~CAP_SYS_BOOT"
"~CAP_NET_ADMIN"
] ++ lib.lists.optional (!cfg.allowCgiUser) [
"~CAP_SETGID"
"~CAP_SETUID"
];
SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete" ]
++ lib.lists.optional (!cfg.allowCgiUser) [ "@privileged @setuid" ];
}; };
}; };

2
nixos/tests/web-servers/stargazer.nix
View File

@ -145,8 +145,6 @@ in
geminiserver.wait_for_unit("scgi_server") geminiserver.wait_for_unit("scgi_server")
geminiserver.wait_for_open_port(1099) geminiserver.wait_for_open_port(1099)
geminiserver.wait_for_unit("stargazer") geminiserver.wait_for_unit("stargazer")
geminiserver.wait_for_unit("stargazer")
cgiTestServer.wait_for_open_port(1965)
cgiTestServer.wait_for_open_port(1965) cgiTestServer.wait_for_open_port(1965)
with subtest("stargazer test suite"): with subtest("stargazer test suite"):