hydra icon indicating copy to clipboard operation
hydra copied to clipboard

Published 20 hours ago verified publisher icon NixOS

systemd-analyze security reports Hydra's services as all highly exposed and unsafe

Open Taneb opened this issue 4 years ago • 1 comments
trafficstars 

UNIT                                  EXPOSURE PREDICATE HAPPY
hydra-check-space.service                  9.6 UNSAFE    😨    
hydra-compress-logs.service                9.6 UNSAFE    😨    
hydra-evaluator.service                    9.2 UNSAFE    😨    
hydra-notify.service                       9.2 UNSAFE    😨    
hydra-queue-runner.service                 9.2 UNSAFE    😨    
hydra-send-stats.service                   9.2 UNSAFE    😨    
hydra-server.service                       9.2 UNSAFE    😨    
hydra-update-gc-roots.service              9.2 UNSAFE    😨

Most, if not all of these could have significantly lower exposure. As far as I can tell, little work has happened with this and there's an awful lot of low-hanging fruit.

Note that two of these (hydra-check-space and hydra-compress-logs) are defined in nixpkgs rather than in this repository.

Taneb avatar Jun 22 '21 14:06 Taneb

The slightly hardened units we use:

# hydra-server
ExecStart=@/nix/store/vn4374g0v49x0a70nik98nf0k3s8c04n-hydra-env/bin/hydra-server hydra-server -f -h '*' -p 3000 --max_spare_servers 5 --max_servers 25 --max_requests 100
LockPersonality=true
MemoryDenyWriteExecute=false
NoNewPrivileges=true
PermissionsStartOnly=true
PrivateDevices=true
PrivateMounts=true
PrivateNetwork=false
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadOnlyPaths=/var/lib/hydra/scm/
ReadOnlyPaths=/nix/
ReadOnlyPaths=/var/lib/secrets/hydra/ldap.yml
ReadWritePaths=/nix/var/nix/gcroots/hydra/
ReadWritePaths=/run/postgresql/.s.PGSQL.5432
ReadWritePaths=/nix/var/nix/daemon-socket/socket
ReadWritePaths=/var/lib/hydra/build-logs/
RemoveIPC=true
Restart=always
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
StateDirectory=hydra/www
StateDirectoryMode=700
SystemCallArchitectures=native
SystemCallFilter=@system-service

# hydra-evaluator
ExecStart=@/nix/store/vn4374g0v49x0a70nik98nf0k3s8c04n-hydra-env/bin/hydra-evaluator hydra-evaluator
ExecStartPre=+/nix/store/x78gasv563z3z5habwbywsggyv8xrahv-hydra-evaluator-prestart/bin/hydra-evaluator-prestart
LockPersonality=true
MemoryDenyWriteExecute=false
NoNewPrivileges=true
PrivateDevices=true
PrivateMounts=true
PrivateNetwork=false
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadOnlyPaths=/nix/
ReadWritePaths=/nix/var/nix/gcroots/
ReadWritePaths=/run/postgresql/.s.PGSQL.5432
ReadWritePaths=/nix/var/nix/daemon-socket/socket
RemoveIPC=true
Restart=always
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
StateDirectory=hydra
SystemCallArchitectures=native
SystemCallFilter=@system-service
UMask=0077
User=hydra
WorkingDirectory=/var/lib/hydra

# hydra-queue-runner
ExecStart=@/nix/store/vn4374g0v49x0a70nik98nf0k3s8c04n-hydra-env/bin/hydra-queue-runner hydra-queue-runner -v
ExecStopPost=/nix/store/vn4374g0v49x0a70nik98nf0k3s8c04n-hydra-env/bin/hydra-queue-runner --unlock
LimitCORE=infinity
LockPersonality=true
MemoryDenyWriteExecute=false
NoNewPrivileges=true
PrivateDevices=true
PrivateMounts=true
PrivateNetwork=false
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadOnlyPaths=/nix/
ReadWritePaths=/nix/var/nix/gcroots/
ReadWritePaths=/run/postgresql/.s.PGSQL.5432
ReadWritePaths=/nix/var/nix/daemon-socket/socket
ReadWritePaths=/var/lib/hydra/build-logs/
RemoveIPC=true
Restart=always
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
StateDirectory=hydra/queue-runner
StateDirectoryMode=0700
SystemCallArchitectures=native
SystemCallFilter=@system-service
UMask=0077
User=hydra-queue-runner
WorkingDirectory=/var/lib/hydra/queue-runner

# hydra-notify
ExecStart=@/nix/store/vn4374g0v49x0a70nik98nf0k3s8c04n-hydra-env/bin/hydra-notify hydra-notify
LockPersonality=true
MemoryDenyWriteExecute=false
NoNewPrivileges=true
PrivateDevices=true
PrivateMounts=true
PrivateNetwork=false
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadOnlyPaths=/nix/
ReadWritePaths=/run/postgresql/.s.PGSQL.5432
ReadWritePaths=/nix/var/nix/daemon-socket/socket
ReadWritePaths=/var/lib/hydra/scm/
RemoveIPC=true
Restart=always
RestartSec=5
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
StateDirectory=hydra/channels
SystemCallArchitectures=native
UMask=0077
User=hydra-queue-runner

All of these lack RestrictAddressFamilies and CapabilityBoundingSet since we do that with AppArmor which is a lot more convienient for us.

dasJ avatar Jun 22 '21 14:06 dasJ