Merge pull request #173109 from Mic92/upterm
nixos/upterm: additional hardening
This commit is contained in:
commit
e56ae50ed9
@ -85,6 +85,7 @@ in
|
|||||||
AmbientCapabilities = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
|
AmbientCapabilities = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
|
||||||
CapabilityBoundingSet = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
|
CapabilityBoundingSet = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
|
||||||
PrivateUsers = cfg.port >= 1024;
|
PrivateUsers = cfg.port >= 1024;
|
||||||
|
DynamicUser = true;
|
||||||
LockPersonality = true;
|
LockPersonality = true;
|
||||||
MemoryDenyWriteExecute = true;
|
MemoryDenyWriteExecute = true;
|
||||||
PrivateDevices = true;
|
PrivateDevices = true;
|
||||||
@ -95,7 +96,9 @@ in
|
|||||||
ProtectKernelLogs = true;
|
ProtectKernelLogs = true;
|
||||||
ProtectKernelModules = true;
|
ProtectKernelModules = true;
|
||||||
ProtectKernelTunables = true;
|
ProtectKernelTunables = true;
|
||||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
ProtectProc = "invisible";
|
||||||
|
# AF_UNIX is for ssh-keygen, which relies on nscd to resolve the uid to a user
|
||||||
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
|
||||||
RestrictNamespaces = true;
|
RestrictNamespaces = true;
|
||||||
RestrictRealtime = true;
|
RestrictRealtime = true;
|
||||||
SystemCallArchitectures = "native";
|
SystemCallArchitectures = "native";
|
||||||
|
@ -30,11 +30,14 @@ in
|
|||||||
server.wait_for_unit("uptermd.service")
|
server.wait_for_unit("uptermd.service")
|
||||||
server.wait_for_unit("network-online.target")
|
server.wait_for_unit("network-online.target")
|
||||||
|
|
||||||
|
# wait for upterm port to be reachable
|
||||||
|
client1.wait_until_succeeds("nc -z -v server 1337")
|
||||||
|
|
||||||
# Add SSH hostkeys from the server to both clients
|
# Add SSH hostkeys from the server to both clients
|
||||||
# uptermd needs an '@cert-authority entry so we need to modify the known_hosts file
|
# uptermd needs an '@cert-authority entry so we need to modify the known_hosts file
|
||||||
client1.execute("sleep 3; mkdir -p ~/.ssh && ssh -o StrictHostKeyChecking=no -p 1337 server ls")
|
client1.execute("mkdir -p ~/.ssh && ssh -o StrictHostKeyChecking=no -p 1337 server ls")
|
||||||
client1.execute("echo @cert-authority $(cat ~/.ssh/known_hosts) > ~/.ssh/known_hosts")
|
client1.execute("echo @cert-authority $(cat ~/.ssh/known_hosts) > ~/.ssh/known_hosts")
|
||||||
client2.execute("sleep 3; mkdir -p ~/.ssh && ssh -o StrictHostKeyChecking=no -p 1337 server ls")
|
client2.execute("mkdir -p ~/.ssh && ssh -o StrictHostKeyChecking=no -p 1337 server ls")
|
||||||
client2.execute("echo @cert-authority $(cat ~/.ssh/known_hosts) > ~/.ssh/known_hosts")
|
client2.execute("echo @cert-authority $(cat ~/.ssh/known_hosts) > ~/.ssh/known_hosts")
|
||||||
|
|
||||||
client1.wait_for_unit("multi-user.target")
|
client1.wait_for_unit("multi-user.target")
|
||||||
|
Loading…
Reference in New Issue
Block a user