Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

treewide: Remove ineffective capability grants. #333533

Merged
merged 1 commit into from
Nov 6, 2024
Merged

treewide: Remove ineffective capability grants. #333533

merged 1 commit into from
Nov 6, 2024
+2 −27

Conversation

eduarrrd
Copy link
Contributor

@eduarrrd eduarrrd commented Aug 9, 2024

Systemd units with PrivateUsers set get their capabilities within the user namespace only [1].
As a result they do cannot bind to privileged ports even though they appear like they should be able to.

The units in this commit [2] set PrivateUsers unconditionally so binding to privileged ports is currently impossible.
Granting them CAP_NET_BIND_SERVICE is useless and misleading any reader of those modules.
Technically, this commit also hardens these modules ever so slightly.

(There are corner cases where this could make sense (e.g. across units, using JoinsNamspaceOf) but this is arcane enough to not to be present in nixpkgs.)

[1]: systemd.exec(5): PrivateUsers
[2]: found using rg -e 'PrivateUsers.?=\s+[^f][^a]' -l | xargs rg -e '\bCAP_' -l

Description of changes

See commit message above.

Decisions taken:

  • err on side of caution: disable caps instead of missing with PrivateUsers value
  • remove empty capability settings: they do not add any value unless they are acting as overrides

Observations:

  • many of the services that work around this disable PrivateUsers conditionally. This is not explicitly exposed and typically a result of setting that service's .port to a privileged value. Having the port number control 2 hardening settings is clearly not the right UX. But out of scope for this PR.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Aug 9, 2024
@eduarrrd
treewide: Remove ineffective capability grants.
cb10fe8 
Systemd units with `PrivateUsers` set get their capabilities within the user namespace only [1].
As a result they do cannot bind to privileged ports even though they *appear* like they should be able to.

The units in this commit [2] set `PrivateUsers` unconditionally so binding to privileged ports is currently impossible.
Granting them CAP_NET_BIND_SERVICE is useless and misleading any reader of those modules.
Technically, this commit also hardens these modules ever so slightly.

(There are corner cases where this could make sense (e.g. across units, using `JoinsNamspaceOf`) but this is arcane enough to not to be present in nixpkgs.)

[1]: systemd.exec(5): PrivateUsers
[2]: found using `rg -e 'PrivateUsers.?=\s+[^f][^a]' -l | xargs rg -e '\bCAP_' -l`
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild 10.rebuild-linux: 1-10 labels Aug 9, 2024
Scrumplex
Scrumplex approved these changes Oct 9, 2024
View reviewed changes
Copy link
Member

@Scrumplex Scrumplex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM. Reasoning also aligns with how user namespaces work

@Scrumplex Scrumplex added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Oct 9, 2024
fpletz
fpletz approved these changes Oct 10, 2024
View reviewed changes
Copy link
Member

@fpletz fpletz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the catch and the fixes.

@fpletz
Copy link
Member

fpletz commented Oct 10, 2024

Observations:

  • many of the services that work around this disable PrivateUsers conditionally. This is not explicitly exposed and typically a result of setting that service's .port to a privileged value. Having the port number control 2 hardening settings is clearly not the right UX. But out of scope for this PR.

I totally agree. We should at least compile a list of affected modules and open a tracking issue to fix these. Would you like to do that?

Flakebi
Flakebi approved these changes Oct 30, 2024
View reviewed changes
Copy link
Member

@Flakebi Flakebi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change looks good to me :)

@wegank wegank added 12.approvals: 2 This PR was reviewed and approved by two reputable people and removed 12.approvals: 1 This PR was reviewed and approved by one reputable person labels Oct 31, 2024
@fpletz fpletz merged commit 0fc41ad into NixOS:master Nov 6, 2024
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fpletz fpletz fpletz approved these changes

@Scrumplex Scrumplex Scrumplex approved these changes

@Flakebi Flakebi Flakebi approved these changes

@minijackson minijackson Awaiting requested review from minijackson

@surfaceflinger surfaceflinger Awaiting requested review from surfaceflinger

@etu etu Awaiting requested review from etu

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild 10.rebuild-linux: 1-10 12.approvals: 2 This PR was reviewed and approved by two reputable people
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@eduarrrd @fpletz @Flakebi @Scrumplex @wegank