Hacker Newsnew | past | comments | ask | show | jobs | submit | ryandotsmith's commentslogin

Are there common patterns or examples of directives that operators should be aware of?

I know the post linked to systemd docs, but I’d enjoy seeing some snippets of directives people are using to achieve this kind of hardening.


I have a dropin called security.conf that I link in to most of my services, and then create an unsecurity.conf to disable/revert any directives not compatible with the service.

  [Service]
  DynamicUser=yes
  PrivateTmp=true
  PrivateDevices=true
  PrivateNetwork=true
  PrivateUsers=true
  InaccessiblePaths=-/mnt/
  ProtectSystem=strict
  ProtectHome=true
  ProtectHostname=true
  ProtectKernelTunables=true
  ProtectKernelModules=true
  ProtectKernelLogs=true
  ProtectControlGroups=true
  ProtectClock=true
  ProtectProc=invisible
  ProcSubset=pid
  RestrictNamespaces=true
  RestrictRealtime=true
  RestrictSUIDSGID=true
  LockPersonality=true
  NoNewPrivileges=true
  RemoveIPC=true
  IPAddressDeny=any
  UMask=0077
  SystemCallArchitectures=native
  RestrictAddressFamilies=none
  MemoryDenyWriteExecute=true
  SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @reboot @swap @raw-io @privileged @resources
  CapabilityBoundingSet=~CAP_SYS_PACCT CAP_KILL CAP_WAKE_ALARM CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CAP_SYS_TTY_CONFIG CAP_SYS_BOOT CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE CAP_MKNOD CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_RAWIO CAP_SYS_PTRACE CAP_SYS_NICE CAP_SYS_RESOURCE CAP_NET_ADMIN CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_BPF CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
MemoryDenyWriteExecute gets set back to "no" quite a lot because interpreters like to use it for JITing, but it prevents a whole class of exploits on services where it can stay enabled.

I also like to socket-activate services as often as possible so they don't need access to network interfaces. Even if a service doesn't support socket-activation itself, it can usually be shimmed in with systemd-socket-proxyd, which also provides good functionality for stopping services when there are no connections to them (they get started again by the next connection).


So this looks pretty nice but I have to say...

> then create an unsecurity.conf to disable/revert any directives not compatible with the service

I've been using linux for something like 25 years now, and this just sounds like a heck of a lot of grokking and work (and maybe even trial and error?) for the mortals, no? I would think distribution maintainers should be the ones flipping more of these switches, and if they aren't, might that point to them being overly aggressive?


> this just sounds like a heck of a lot of grokking and work (and maybe even trial and error?) for the mortals, no?

Absolutely. For the record, when I say "my services" I mean services that I'm writing, not any service running on my system. I consider this hardening to be part of development, to be done by the developer responsible for it, whether that's the upstream dev or package maintainer. I would not consider it to be the responsibility of a random end-user and I wouldn't recommend most to try unless they're personally interested in it.

That being said, for developers, these switches make it crazy easy to sandbox your service compared to older solutions. So much so that I actually bother doing it now.


There seems to be some formatting issues on the current version of the site.

The GH page is easier to read: https://github.com/zelang-dev/c-asio


Thanks for that!

Yeah their static site generator seems to be a bit deficient.


Does anyone have an idea of how this is built? I wonder if they are using QUIC with relay servers or something like Tailscale's DERP.


It's something closer to Tailscale DERP.

We evaluated QUIC (and many other approaches). Turns out it's a lot harder than you might think to move traffic at high speed across the world, over residential-grade internet, and not drain your battery.


Did you consider Iroh and if you chose not to use it, why not?


If it's truly p2p, some relay would be there in case the client cannot be reached through NAT. Not sure how they would bear the cost of the bandwidth for unlimited transfers in that case


Traffic is pretty cheap outside the big clouds. For example Hetzner charges $1/TB on a 10Gbit connection


Their 1Gbit connections are unmetered.


I wouldn't be surprised if it's built with Iroh

https://www.iroh.computer/


Yes. It is this spirit that got me excited about computers. It's impressive that OpenBSD has remained consistent all these years. One of my all time favorite projects.


There is so much fun programming lore in this video. Informative and entertaining. For example:

- Task manager started as a weekend side project

- Author had an assertion message with his home phone number that made it into an NT beta release


Here's an example of extracting context values in a custom slog handler:

https://github.com/indexsupply/x/blob/main/wslog/slog_test.g...


Agreed!


Used this to voice my lack of support for the tiktok ban (patriot act 2.0). There might be a better site to use, perhaps one that automates the message.


It's fun to go through the qualifying exams:

https://math.mit.edu/~yyao1/pdf/qualifying_round_2023_test.p...


How does being able to integrate all that random stuff analytically make me any smarter, wealthier, more creative, or better at my job?

I mean, why not a "long division bee" as well? It's just as useful. It would be more impressive to hold a contest for the best (open-source) program to arrive at the answers.


maybe it's not fun for you. it's fun for other people


Because they don't know how to have any real fun?


1. Yes. YouTube has made it much more accessible in recent decades. I talk with my friend who lives a few miles away. We love it.

- KN6LLA


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: