Skip to content

systemd

Jump to bottom
User65k edited this page Aug 23, 2021 · 2 revisions

Systemd is able to apply an extensive set of security restrictions to the Environment the webserver runs in. See Execution environment configuration.

[Unit]
Description=Flash Rust Webserver

[Service]
ExecStart=/opt/frws/frws
WorkingDirectory=/opt/frws/
#Environment=RUST_LOG=trace

#create a UNIX user and group for this service
DynamicUser=yes

#make everything read only
ProtectSystem=strict
#allow write for a DAV mount and ACME
#ReadWritePaths=/var/www/dav/ /etc/letsencrypt/
#hide content of user homes
ProtectHome=true
#private /tmp/ and /var/tmp/
PrivateTmp=true
#hide all but process management and introspection
ProcSubset=pid
#hide processes owned by other users
ProtectProc=invisible
#only expose /dev/null, ...
PrivateDevices=true
#make kernel variables read only
ProtectKernelTunables=true
#make cgroups read only
ProtectControlGroups=true

#read only hardware clock
ProtectClock=true
#turn all other users to nobody
PrivateUsers=true
#deny access to kernel log
ProtectKernelLogs=true
#deny explicit module loading
ProtectKernelModules=true
#deny realtime scheduling
RestrictRealtime=true
#lock down the personality system call
LockPersonality=true
#try to deny memory mappings that are -wx
MemoryDenyWriteExecute=true
#restrict socket usage to unix and inet4+6. could even be none if neither FCGI nor websocket forwarding is used
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
#deny access to any kind of namespacing
RestrictNamespaces=true
#allow only the following groups of syscalls
SystemCallArchitectures=native
SystemCallFilter=@aio @basic-io @io-event @network-io @file-system @ipc @process
#remove all Capabilities
CapabilityBoundingSet=
#only expose the loopback interface. enable if no (outgoing) connections to other machines are made
#PrivateNetwork=true

[Install]
WantedBy=multi-user.target

Check the restrictions with: systemd-analyze security frws

To start everything:

$ sudo nano /etc/systemd/system/frws.socket
$ sudo nano /etc/systemd/system/frws.service
$ sudo systemctl daemon-reload
$ sudo systemctl enable frws.socket
$ sudo systemctl start frws.socket
$ sudo systemctl enable frws
$ sudo systemctl start frws

Socket Activation

A Socket unit configuration can be used to bind to all serviced ports while the server runs in a constrained Environment (user, namespaces, ...)

To use it, the Adress of the passed Socket must match the one specified in the config. Note that the passed socket addresses are logged at startup.

/etc/systemd/system/frws.socket

[Socket]
ListenStream = 80
BindIPv6Only = both
Accept=no

[Socket]
ListenStream = 127.0.0.1:1337
Accept=no

[Install]
WantedBy = sockets.target

config.toml

[localhost]
ip = "127.0.0.1:1337"
["example.com"]
ip = "[::]:80"

Journal

The journal logger is available as a pre-configured appender. Note that it is used by default if the server is started by systemd. See logging.

[log.root]
level = "warn"
appenders = ["journal"]

To read the log: journalctl -u frws

Clone this wiki locally