From a994d347caf4fdb7ca2b1c28ecbea7bf9cc51c0d Mon Sep 17 00:00:00 2001 From: Andreas Olsson Date: Sun, 13 Sep 2020 14:04:21 +0200 Subject: [PATCH] Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. --- examples/systemd/rest-server.service | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/examples/systemd/rest-server.service b/examples/systemd/rest-server.service index a8a00ae..f5ac77a 100644 --- a/examples/systemd/rest-server.service +++ b/examples/systemd/rest-server.service @@ -7,9 +7,16 @@ After=network.target Type=simple User=www-data Group=www-data -ExecStart=/usr/local/bin/rest-server --path /tmp/restic +ExecStart=/usr/local/bin/rest-server --path /path/to/backups Restart=always RestartSec=5 +# Optional security enhancements +NoNewPrivileges=yes +PrivateTmp=yes +ProtectSystem=strict +ProtectHome=yes +ReadWritePaths=/path/to/backups + [Install] WantedBy=multi-user.target