Adding more restrictions to rest-server.service (an experiment)

1

Right now I’m mostly experimenting with this to learn how it works.

The patch below makes similar changes as PR 246 and 249 but also adds a few other.
This is currently just an experiment, so it’s not ready to become a PR.

On a Fedora CoreOS VM this worked:

  1. install rest-server binary to /var/usrlocal/bin/rest-server
  2. sudo mkdir /var/usrlocal/backups
  3. sudo chmod 700 /var/usrlocal/backups
  4. sudo chown www-data:www-data /var/usrlocal/backups
  5. Install /etc/systemd/system/rest-server.service and /etc/systemd/system/rest-server.socket
    (see the patch for rest-server.service below)
  6. sudo useradd test
  7. sudo machinectl shell test
  8. mkdir ~/mydata
  9. echo hello > ~/mydata/file.txt
  10. restic -r rest:http://127.0.0.1:8080 init
  11. restic -r rest:http://127.0.0.1:8080/ --verbose backup ~/mydata
  12. restic -r rest:http://127.0.0.1:8080/ --verbose snapshots

patch for rest-server.service

--- a/examples/systemd/rest-server.service
+++ b/examples/systemd/rest-server.service
@@ -5,15 +5,18 @@ After=network.target
 
 # if you want to use socket activation, make sure to require the socket here
 #Requires=rest-server.socket
+Requires=rest-server.socket
+After=rest-server.socket
 
 [Service]
 Type=simple
 # You may prefer to use a different user or group on your system.
 User=www-data
 Group=www-data
-ExecStart=/usr/local/bin/rest-server --path /path/to/backups
+ExecStart=/bin/rest-server --path /backups --no-auth --debug
 Restart=always
 RestartSec=5
+RootDirectory=/var/usrlocal
 
 # The following options are available (in systemd v247) to restrict the
 # actions of the rest-server.
@@ -25,10 +28,10 @@ RestartSec=5
 
 # IMPORTANT!
 # The following line must be customised to your individual requirements.
-ReadWritePaths=/path/to/backups
+ReadWritePaths=/var/usrlocal/backups
 
 # Makes created files group-readable, but inaccessible by others
-UMask=027
+UMask=077
 
 # If your system doesn't support all of the features below (e.g. because of
 # the use of an older version of systemd), you may wish to comment-out
@@ -38,8 +41,12 @@ LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=yes
 PrivateTmp=yes
+
+PrivateNetwork=yes
+
 PrivateDevices=true
 PrivateUsers=true
+ProcSubset=pid
 ProtectSystem=strict
 ProtectHome=yes
 ProtectClock=true
@@ -51,13 +58,14 @@ ProtectProc=invisible
 ProtectHostname=true
 RemoveIPC=true
 RestrictNamespaces=true
-RestrictAddressFamilies=AF_INET AF_INET6
+RestrictAddressFamilies=none
 RestrictSUIDSGID=true
 RestrictRealtime=true
 # if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
+SystemCallFilter=~@resources
+SystemCallFilter=~@privileged
 # Additionally, you may wish to use some of the systemd options documented in
 # systemd.resource-control(5) to limit the CPU, memory, file-system I/O and
 # network I/O that the rest-server is permitted to consume according to the

Result: It seems to work.
The output from the last command was

enter password for repository: 
repository 085b1e3b opened (version 2, compression level auto)
ID        Time                 Host                   Tags        Paths
-----------------------------------------------------------------------------------------
26d74fdf  2023-07-18 07:36:53  localhost.localdomain              /var/home/test/mydata
-----------------------------------------------------------------------------------------
1 snapshots