More hardening for systemd unit files?

There are systemd unit files for syncany

/etc/linux-systemd/user/syncthing.service
/etc/linux-systemd/system/syncthing%40.service

And it is good to see they even ship with some basic hardening:

ProtectSystem=full
PrivateTmp=true

I think it would make sense to add some more. For example ProtectSystem=full does make /etc readonly, but you can still read /etc/shadow or /etc/passwd depending on which user is running syncany.

I would suggest adding following. (- sign means it can be ignored if directory does not exist on filesystem)

ProtectKernelModules=true
ProtectKernelTunables=true
InaccessiblePaths=-/etc -/boot -/var -/dev -/media -/mnt -/root -/srv
ReadOnlyPaths=-/bin -/sbin -/usr -/lib -/lib64 -/opt

This list might be rather strict and might need some tweaking, but i think it is worth the shot.

Perhaps it might even make sense to use whitelisting rather than blacklisting, eg.:

InaccessiblePaths=/
ReadOnlyPaths=/home/
ReadWritePaths=-/home/sync

NoExecPaths=/
ExecPaths=/usr/bin/syncthing /usr/lib /usr/lib64

I’d rather not have our default systemd unit restricting which paths the user might or might not share. Who in their right mind would want to blacklist /media and /mnt?

I’m also not sure about those kernel related options. The user shouldn’t execute syncthing as root and only root is able to tinker with kernel modules and tuneables.

3 Likes