warpgate icon indicating copy to clipboard operation
warpgate copied to clipboard
verified publisher icon warp-tech

Safer systemd service file

Open gvalkov opened this issue 11 months ago • 1 comments

Hello,

The example systemd service file is not particularly secure. It would be useful to have a more elaborate example and directions on how to further secure it (i.e. systemd-analyze security) :

[Unit]
Description=Warpgate
After=network.target
StartLimitIntervalSec=0

[Service]
ProtectSystem=strict
PrivateTmp=true
PrivateUsers=True
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectProc=noaccess
ProtectHostname=true
MemoryDenyWriteExecute=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX  # AF_UNIX is needed by sd_notify
LockPersonality=true
ProtectClock=true
NoNewPrivileges=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
CapabilityBoundingSet=

# You may want to modify the following to fit your environment.
ReadWritePaths=/opt/warpgate 
ExecPaths=/usr/local/bin/warpgate
SocketBindAllow=ipv4:8888
SocketBindAllow=ipv4:8888
SocketBindDeny=any
User=warpgate

Type=notify
UMask=0027
Restart=always
RestartSec=5
ExecStart=/usr/local/bin/warpgate --config /opt/warpgate/config.yaml run

[Install]
WantedBy=multi-user.target

The above results in a systemd-analyze security score of 2.9 OK.

gvalkov avatar Jan 23 '25 17:01 gvalkov

Fantastic. I created an issue that I intend to work on to improve the docs. This will be added to it.

https://github.com/warp-tech/warpgate/issues/1302

krishardy avatar Apr 01 '25 00:04 krishardy