From aa46ee57bb62bd0eb4c1b56d7f5e9386d3e63dd1 Mon Sep 17 00:00:00 2001 From: TomZ Date: Sat, 24 Jul 2021 12:48:19 +0200 Subject: [PATCH] [Security] do not run as root. An Internet accessible service should aim to have as little as possible attack surface, which is much easier to do when running with the absolute minimum number of priviledges. This makes the systemd setup run the service as a user 'yggdrasil' and uses the systemd feature `RuntimeDirectory` to auto-create the /var/run/yggdrasil dir so our non-elevated client can still create the socket. The sysusers file will cause the user be created on first install using the sysusers subsystem. --- contrib/systemd/yggdrasil.service | 7 ++++++- contrib/systemd/yggdrasil.sysusers | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 contrib/systemd/yggdrasil.sysusers diff --git a/contrib/systemd/yggdrasil.service b/contrib/systemd/yggdrasil.service index f8c2dd22..f824cf02 100644 --- a/contrib/systemd/yggdrasil.service +++ b/contrib/systemd/yggdrasil.service @@ -6,16 +6,21 @@ After=network-online.target After=yggdrasil-default-config.service [Service] +User=yggdrasil Group=yggdrasil ProtectHome=true ProtectSystem=true SyslogIdentifier=yggdrasil -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE ExecStartPre=+-/sbin/modprobe tun ExecStart=/usr/bin/yggdrasil -useconffile /etc/yggdrasil.conf ExecReload=/bin/kill -HUP $MAINPID Restart=always TimeoutStopSec=5 +# make sure /var/run/yggdrasil/ is created writable for the user. +RuntimeDirectory=yggdrasil +# the small list of admin capabilities we need to do our job +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE + [Install] WantedBy=multi-user.target diff --git a/contrib/systemd/yggdrasil.sysusers b/contrib/systemd/yggdrasil.sysusers new file mode 100644 index 00000000..1cea8959 --- /dev/null +++ b/contrib/systemd/yggdrasil.sysusers @@ -0,0 +1 @@ +u yggdrasil - "Yggdrasil network daemon"