Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

better example file for systemd service #22

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

better example file for systemd service #22

wants to merge 1 commit into from

Conversation

cs8425
Copy link

@cs8425 cs8425 commented Mar 14, 2023

drop root permission on go-mmproxy itself,
enable CAP_NET_BIND_SERVICE, CAP_NET_ADMIN for binding < 1024 port and using IP_TRANSPARENT,
and keep ip rule, ip route working.

DanScharon
DanScharon reviewed May 23, 2023
View reviewed changes
go-mmproxy.service.example
User=nobody
Group=nogroup
Environment=USER=nobody HOME=/tmp
ProtectSystem=true
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be ProtectSystem=full so that a config file with allowed subnets can be loaded from /etc

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be strict, as the service does not need any write access.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be strict, as the service does not need any write access.

Yes, you are right.
When using DynamicUser=yes systemd also implicitly sets ProtectSystem=strict according to the systemd documentation.

DanScharon
DanScharon reviewed May 23, 2023
View reviewed changes
go-mmproxy.service.example
Restart=on-failure
RestartSec=10s
User=nobody
Group=nogroup
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

User and Group should not be set to nobody/nogroup, instead DynamicUser=yes should be used

@kzemek
Copy link
Contributor

kzemek commented Oct 4, 2023

@cs8425 I'm happy to merge this if you include @DanScharon's comments

@tacerus
Copy link

tacerus commented May 25, 2024

I'm proposing an alternative patch, including the suggestions along with more hardening options: #30.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DanScharon DanScharon DanScharon left review comments

@tacerus tacerus tacerus left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cs8425 @kzemek @tacerus @DanScharon