Improve systemd security #352
Labels
No Label
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: borgmatic-collective/borgmatic#352
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What I'm trying to do and why
I would lite to improve the security setiings of the systemd service for borgmartic.
Although I trust borgmatic in principle, I think it's good practice to restrict the privilidges to the minimum required.
Other notes / implementation ideas
I read about additional security settings for systemd services to apply restrictiion even if the service is running as root (which is required in my case to backup system settings etc.). Checking teh current security level with
systemd-analyze security borgmatic
provided a rating of→ Overall exposure level for borgmatic.service: 9.6 UNSAFE 😨
.After some search I found a comment from @nicoulaj in an older ticket #205 related to systemd service which already proposed to add such security settings, but @witten finally decided to leave it out due to lack of expierience.
Can we maybe pick-up this topic again and try to find some settings which should work for majority of use cases?
There are many possible settings as you can find on systemd.exec, but I would focus on the ones with high ratings from
systemd-analyze
output. Note that thesecurity
option was added in systemd v240 and is not available in Ubunu 18.04 which uses v237.I started with a few settings (less than in the above mentioned comment) which improved the score to 7.7 at least:
I'm not sure if borgmatic needs write access anywhere besides the backup destination. In above comment there was a line allowing access to a few folders, but not sure if this is required (e.g. /mnt/backup semms to be the backup destination, while I use remote via ssh)
Environment
borgmatic version: 1.5.9
borgmatic installation method: Python venv & pip installso
Borg version: 1.1.11
Python version: 3.7.7 / 3.8.2
operating system and version: Solus / Ubuntu 20.04.1
systemd securityto Improve systemd securityThe systemd security settings will partly depend on the backup destination used and the pre/post hooks used.
Examples:
For the 26 system capabilities it is possible to explicitely allow and/or deny them as needed. To me it seems that usually not many are required for a normal backup, but not quite sure.
In the settings of @nicoulaj there are quite a lot capabilities allowed, whould be good to understand for each of them why. Again, it may depend on the use case.
chroot
orsetns
used by borgmatic?Checking the list of other settings used by @nicoulaj, most make sense to me, but some seem obsolete and some I don't understand.
PrivateDevices=yes
ProtectSystem=strict
/root/.config
/root/.cache/borg
/mnt/backup
indicates that this is used as backup destination, so this depends on the specific use caseWith some try & error I tuned the security settings for my use case and reached an
OK
rating fromsystemd-analyze security borgmatic
.Write access to
/root/.borgmatic
is required for themysql
backup.The
CAP_NET_RAW
is required for my pre-backup hook which usesping
to check the reachability of the remote server.Interestingly the value calculated by
systemd-analyze security borgmatic
differs between Ubuntu 20.04.1 and Solus (latest version), even though both are on systemd v245 release. For some reason the values per security setting differ, e.g.PrivateNetwork
on Solus is rated with0.6
and on Ubuntu with0.5
and some settinsg are ignored on Solus.The systemd seems to use different settings on each system:
On Solus I get a rating of 4.4 (OK) and on Ubuntu 2.5 (OK).
I appreciate all the work you are putting in on this! I'll try to answer some of the questions that you've raised during your investigations:
Yeah, as you discovered
~/.borgmatic
is needed for backup dumps.In terms of read-write disk access,
~/.borgmatic
is it. But connecting to the database does use local or remote network.It's not using the
mknod
command. It is creating named pipes for use in streaming database dumps.Nope.
Also, as for some of the particular settings:
You could probably restrict these further to
/root/.config/borg
and/root/.cache/borg
respectively.The rest of the settings look fine to me, just giving a skim of the
systemd.exec
man page, and given my limited systemd knowledge. I think the main challenge will be for users to remember to updateReadWritePaths
with any repository destinations.Did you want to submit a PR for all of these additions?
@witten thanks for your feedback and answers.
I will continue my test for a while (1-2 weeks maybe) to ensure that nothing strange happens or anyone else has a comment/suggestion, before submitting a PR.
Besides updating the template file (with some comments). Shoudl I comment-out all or most of this settings by default to ensure that it doesn't break anything before it is proprely customised? Alternative would be to expect that the user checks the settings and adjusts them if needed.
In addition some brief explanation to the documentation How to set up backups with borgmatic > systmd could help, maybe just a hint that the
borgmatic.service
file requires some customisation to improve the secuirity.Sounds good. I'm okay if you want to leave these settings uncommented.. This is only a sample configuration file anyway, so it's okay in my opinion if the user has to do some customization instead of copying it blindly. Your choice though.
In any case, it might be nice to update the comment in
borgmatic/config/schema.yaml
for therepositories
option to remind the user to update the systemdReadWritePaths
for any local repositories if they are in fact using systemd.Yes, that makes sense to me!
Merged into master!
Thanks for your (collective) work on this. :)
I've enabled these settings on one system, so far, and had to make one modification. Pinging to healthchecks I have to change
MemoryDenyWriteExecute
to no, otherwise I see the following:(Just for the sake of documenting it…)
Thanks for the testing and reporting back! I'll go ahead and make that change to master so as not to prevent Healthchecks pings.
Thanks for testing and updating this setting. I'm not using healthchecks, that's why it worked for me with
MemoryDenyWriteExecute=yes
.The systemd manual MemoryDenyWriteExecute mentions some cases where it causes issues:
Assume that this is affecting the Healthchecks function.
Maybe add a comment in the service sample that this function may be set to "yes" to further improve security but conflicts with the Healthchecks hook and maybe other features.
Looking at the code for the Healthchecks hook it might be that
requests
causes the issue incirectly. In a Google search I found a hint that the certificat verification of the https request may cause it by using a C library: mgr/dashboard: openssl exception when verifying certificates of HTTPS requests. This means that any hook that uses https would be impacted.Good call. Done!