The systemd administrator may wish to use additional resource control
facilities which systemd provides. Document the existence of these, and
provide some example options in commented form.
The supplied systemd unit file places some basic security restrictions
on the rest service. This patch enhances those, and improves the
overall security assessment score given by `systemd-analyze security`
from "8.3 EXPOSED" to "1.3 OK".
Closes#148
"/" is valid char in HTTP authorization headers, but is also used in
rest-server to map usernames to private repos.
This commit prevents loading maliciously composed usernames like
"/foo/config" by restricting the allowed characters to the unicode
character class, numbers, "-", "." and "@".
Closes#131
In addition to any existing filesystem restrictions on the (www-data)
backup user these config options uses namespaces and other kernel
features to further restrict what the _rest-server_ is allowed to do.
* `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures
that the _rest-server_ is only allowed to write to its data directory.
* `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_
gets (read) access to.
* `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid
binaries, etc to escalate its privileges.
See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
for further details
While at I also replaced the _/tmp/restic_ path with a more explicit
placeholder path. Given that one rarely wants to backup to _/tmp_ I
figured it better to force a choice of path rather than to have
someone accidentally end up using _/tmp/restic_ for their backups.
Goji routes incoming requests without first URL decoding the path, so
'%2F' in a URL will not be decoded to a '/' before routing. But by the
time that we perform the path checks for private urls on r.URL.Path,
these characters have been decoded.
As a consequence, a user 'foo' could use 'foo%2Fbar' as the repo name.
The private repo check would see that the path starts with 'foo/' and
allow it, and rest-server would happily create a 'foo/bar' repo. Other
more harmful variants are possible.
To resolve this issue, we now reject any name part that contains a '/'.
Additionally, we immediately reject a few other characters that are
disallowed under some operating systems or filesystems.
The directive "StartLimitInterval" has been replaced by [StartLimitIntervalSec=interval, StartLimitBurst=burst](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#StartLimitIntervalSec=interval). I'd suggest that the default backoff settings are fine (in Ubuntu 19.10 no more than 5 restarts per 10 seconds, else delayed by 10 seconds per attempt) so this directive can simply be removed.
