New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/rspamd: add sandbox #93293
nixos/rspamd: add sandbox #93293
Conversation
Drop preStart script in favour of systemd StateDirectory parameter.
2fbc96f
to
7e9f3e9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a bunch of DKIM signing keys in /etc/pki/dkim
. Can rspamd still read those after those changes take effect?
They need to be readable by the rspamd user. Maybe this should be mentioned in the changelog. |
Is that a new requirement created by this PR? I was under the impression that it needs to be this way since, like, forever. |
|
That sounds good. In that case, I am basically in favor of this change. I do think it's necessary to do a good deal of testing before it's merged, though, because the consequences of accidentally breaking the mail system are really bad. |
I have not tested but I saw that this pr changes from letting the service them-self dropping privileges to starting as a user in the first place. Some services take the opportunity to read secret files before dropping privileges. If that is not the case ignore my comment. |
Regarding testing, I suggest to add those hardening options to https://github.com/rspamd/rspamd/blob/master/rspamd.service as well and let the rspamd maintainers have a look at it in a pr. We don't need to wait from them to merge it, but they usually have better ideas about the internals. We did something similar for netdata: netdata/netdata#9234 |
Cosmetics fixed. I will create an upstream PR for the hardening options. |
From my experience this was a common pattern in software developed back in the 90s-2000s which start as |
@tnias remind if in a few days. If upstream does not want to review it, we just go ahead. |
|
||
preStart = '' | ||
${pkgs.coreutils}/bin/mkdir -p /var/lib/rspamd | ||
${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} /var/lib/rspamd |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just applied to to my server but when upgrading. I noticed that some files
include /var/lib/rspam/rspamd.sock
where still owned by root. It looks like StateDirectory
is not applied recursively if /var/lib/rspamd
is owned by rspamd
.
I would add a ExecStartPre that with mkIf versionOlder stateVersion "20.09"
that does
ExecStartPre = "+${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} /var/lib/rspamd";
Someone also tested this on archlinux according to the thread. |
@Mic92 I didn't really look over this PR, but my setup runs pretty well with #87661 and these additional overrides: {
serviceConfig = {
ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} -c /etc/rspamd/rspamd.conf -f";
Restart = "always";
User = "rspamd";
Group = "rspamd";
StateDirectory = "rspamd";
RuntimeDirectory = "rspamd";
MemoryDenyWriteExecute = false;
SystemCallFilter = "@basic-io @file-system @network-io @system-service"; # @system-service is **probably** enough
PrivateNetwork = false;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
};
} |
@System-service includes the other 3.
|
@@ -394,16 +394,43 @@ in | |||
restartTriggers = [ rspamdDir ]; | |||
|
|||
serviceConfig = { | |||
ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -c /etc/rspamd/rspamd.conf -f"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just noticed one regression, when postfix.enable = true
, then the rspamd socket is chowned to postfix
. However this no longer works if rspamd is started as rspamd user right away because of lacking permissions.
@GrahamcOfBorg test rspamd |
The |
@tnias are you still interested in fixing postfix integration? |
@Mic92 I have not yet found a way I really like. I think in my current setup the socket is accessible to world, but that is not really an elegant solution. If anyone has ideas or a patches I'd be happy to see and integrate those. Or if anyone wants to take over I would be good with that, too. :) |
acl might be able to solve this, but this might not work on all filesystems, we support. |
As the upstream seems unwilling to move forward, what needs to be resolved to merger this downstream? |
@mweinelt postfix integration needs to be fixed #93293 (comment) |
I fixed postfix integration. |
Some of the other nixos tests are still broken. |
d5a6d86
to
3b6ef96
Compare
All tests are fixed now. |
Thx 😍 |
Simple nixos mailserver tests still pass. |
Motivation for this change
Better systemd service sandboxing.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)cc rspamd maintainers @avnik @fpletz @globin