From 4b684bc1e635799e1d6ebbbbae194c2f85044998 Mon Sep 17 00:00:00 2001 From: Gonne Date: Thu, 4 Apr 2024 17:13:12 +0200 Subject: [PATCH] Restrict HRZ allowlist update service privileges --- nixos/machines/lobon/configuration.nix | 4 ++-- nixos/modules/mailman.nix | 22 ++++++++++++++++++++-- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/nixos/machines/lobon/configuration.nix b/nixos/machines/lobon/configuration.nix index 506d637..8191acf 100644 --- a/nixos/machines/lobon/configuration.nix +++ b/nixos/machines/lobon/configuration.nix @@ -28,8 +28,8 @@ }; backupKey = { sopsFile = ./backupKey.yaml; - owner = "root"; - group = "root"; + owner = "mailman"; + group = "mailman"; mode = "0400"; }; }; diff --git a/nixos/modules/mailman.nix b/nixos/modules/mailman.nix index 8156d32..695a173 100644 --- a/nixos/modules/mailman.nix +++ b/nixos/modules/mailman.nix @@ -93,7 +93,25 @@ in { serviceConfig = { Type = "oneshot"; User = "mailman"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html PrivateTmp = true; + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; }; }; @@ -113,8 +131,8 @@ in { }; repo = "borg@192.168.1.11:lobon"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33 startAt = "daily"; - user = "root"; - group = "root"; + user = "mailman"; + group = "mailman"; }; }; }