From 166ddebdbce7df504abaf17bd6ccc1b99c777906 Mon Sep 17 00:00:00 2001 From: "Haelwenn (lanodan) Monnier" Date: Tue, 13 Jun 2023 12:45:18 +0200 Subject: [PATCH 1/3] Add no_new_privs to OpenRC service files --- installation/init.d/akkoma | 1 + rel/files/installation/init.d/akkoma | 1 + 2 files changed, 2 insertions(+) diff --git a/installation/init.d/akkoma b/installation/init.d/akkoma index 6c1973db4..bd17516f2 100755 --- a/installation/init.d/akkoma +++ b/installation/init.d/akkoma @@ -8,6 +8,7 @@ pidfile="/var/run/akkoma.pid" directory=/opt/akkoma healthcheck_delay=60 healthcheck_timer=30 +no_new_privs="yes" : ${akkoma_port:-4000} diff --git a/rel/files/installation/init.d/akkoma b/rel/files/installation/init.d/akkoma index ea6ea3580..492a0debe 100755 --- a/rel/files/installation/init.d/akkoma +++ b/rel/files/installation/init.d/akkoma @@ -9,6 +9,7 @@ command=/opt/akkoma/bin/pleroma command_args="start" command_user=akkoma command_background=1 +no_new_privs="yes" # Ask process to terminate within 30 seconds, otherwise kill it retry="SIGTERM/30/SIGKILL/5" From a86b010e103771ada1b50ef8ac22e3d791f1a919 Mon Sep 17 00:00:00 2001 From: Norm Date: Thu, 29 Jun 2023 02:14:04 -0400 Subject: [PATCH 2/3] Add NoNewPrivileges to systemd service file for source installs This setting already exists in the OTP installation directory, but doesn't for the one used by source installs. --- installation/akkoma.service | 2 ++ 1 file changed, 2 insertions(+) diff --git a/installation/akkoma.service b/installation/akkoma.service index 2c381ad0d..717693495 100644 --- a/installation/akkoma.service +++ b/installation/akkoma.service @@ -38,6 +38,8 @@ ProtectHome=true ProtectSystem=full ; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. PrivateDevices=false +; Ensures that the service process and all its children can never gain new privileges through execve(). +NoNewPrivileges=true ; Drops the sysadmin capability from the daemon. CapabilityBoundingSet=~CAP_SYS_ADMIN From db645563062e6169777cc0eadf172ee282f067b2 Mon Sep 17 00:00:00 2001 From: Norm Date: Thu, 29 Jun 2023 02:15:32 -0400 Subject: [PATCH 3/3] Record no_new_privs hardening to changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7a81aad09..c2f3757fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Deactivated users can no longer show up in the emoji reaction list - Embedded posts can no longer bypass `:restrict\_unauthenticated` +## Security + +- Add `no_new_privs` hardening to OpenRC and systemd service files + ## 2023.05 ## Added