Using "none" instead of "AF_INET AF_INET6" for RestrictAddressFamilies= in systemd unit rest-server.service

eriksjolund · July 13, 2023, 4:44pm

Does the rest-server need to create outbound TCP connections?

If not it might be possible to remove AF_INET AF_INET6 from the RestrictAddressFamilies= line

--- a/examples/systemd/rest-server.service
+++ b/examples/systemd/rest-server.service
@@ -51,7 +51,7 @@ ProtectProc=invisible
 ProtectHostname=true
 RemoveIPC=true
 RestrictNamespaces=true
-RestrictAddressFamilies=AF_INET AF_INET6
+RestrictAddressFamilies=none
 RestrictSUIDSGID=true
 RestrictRealtime=true
 # if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host

That would improve security.

(I haven’t tried it out yet)

Quote from systemd.exec man page

Sockets passed into the process by other means
(for example, by using socket activation with socket
units, see systemd.socket(5)) are unaffected.

I’ve previously used Podman to run a socket-activated network server container. It worked fine and I didn’t need to use AF_INET AF_INET6 in the RestrictAddressFamilies list.

Podman supports socket activation of containers. (Docker does not have that feature)

eriksjolund · July 14, 2023, 6:32am

I did a minimal test and it worked!

In the test the systemd unit files were modified like this

--- a/examples/systemd/rest-server.service
+++ b/examples/systemd/rest-server.service
@@ -11,7 +11,7 @@ Type=simple
 # You may prefer to use a different user or group on your system.
 User=www-data
 Group=www-data
-ExecStart=/usr/local/bin/rest-server --path /path/to/backups
+ExecStart=/usr/local/bin/rest-server --path /usr/local/backups --no-auth
 Restart=always
 RestartSec=5
 
@@ -25,7 +25,7 @@ RestartSec=5
 
 # IMPORTANT!
 # The following line must be customised to your individual requirements.
-ReadWritePaths=/path/to/backups
+ReadWritePaths=/usr/local/backups
 
 # Makes created files group-readable, but inaccessible by others
 UMask=027
@@ -51,7 +51,7 @@ ProtectProc=invisible
 ProtectHostname=true
 RemoveIPC=true
 RestrictNamespaces=true
-RestrictAddressFamilies=AF_INET AF_INET6
+RestrictAddressFamilies=none
 RestrictSUIDSGID=true
 RestrictRealtime=true
 # if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host
diff --git a/examples/systemd/rest-server.socket b/examples/systemd/rest-server.socket
index ba3262a..24990c7 100644
--- a/examples/systemd/rest-server.socket
+++ b/examples/systemd/rest-server.socket
@@ -1,5 +1,5 @@
 [Socket]
-ListenStream = 8080
+ListenStream = 127.0.0.1:8080
 
 [Install]
 WantedBy = sockets.target

Test

restic init
restic backup
restic snapshots

[test@localhost ~]$ restic -r rest:http://127.0.0.1:8080/ init
enter password for new repository: 
enter password again: 
created restic repository ddb72c517c at rest:http://127.0.0.1:8080/

Please note that knowledge of your password is required to access
the repository. Losing your password means that your data is
irrecoverably lost.
[test@localhost ~]$ restic -r rest:http://127.0.0.1:8080/  --verbose backup ~/mydata
open repository
enter password for repository: 
repository ddb72c51 opened (version 2, compression level auto)
created new cache in /var/home/test/.cache/restic
lock repository
no parent snapshot found, will read all files
load index files
start scan on [/var/home/test/mydata]
start backup on [/var/home/test/mydata]
scan finished in 0.217s: 1 files, 6 B

Files:           1 new,     0 changed,     0 unmodified
Dirs:            4 new,     0 changed,     0 unmodified
Data Blobs:      1 new
Tree Blobs:      5 new
Added to the repository: 2.310 KiB (1.928 KiB stored)

processed 1 files, 6 B in 0:00
snapshot 2be041f9 saved
[test@localhost ~]$ restic -r rest:http://127.0.0.1:8080/  --verbose snapshots
enter password for repository: 
repository ddb72c51 opened (version 2, compression level auto)
ID        Time                 Host                   Tags        Paths
-----------------------------------------------------------------------------------------
2be041f9  2023-07-07 05:23:58  localhost.localdomain              /var/home/test/mydata
-----------------------------------------------------------------------------------------
1 snapshots
[test@localhost ~]$

I created a git branch

that could become a PR

eriksjolund · July 14, 2023, 4:59pm

I repeated the test with the only difference that I also added this line

PrivateNetwork=yes

It also worked.

The command
systemd-analyze security rest-server.service
recommends using such a configuration.

MichaelEischer · July 14, 2023, 8:12pm

That makes it mandatory to also uncomment Requires=rest-server.socket in rest-server.service.

It might be a good idea to also add one or two sentences that the PrivateNetwork works due to the use of a socket unit.

eriksjolund · July 15, 2023, 2:22pm

Created a PR

github.com/restic/rest-server

Improve security of systemd service rest-server.service by restricting network access

restic:master ← eriksjolund:adjust_restrict_address_families

opened 01:16PM - 15 Jul 23 UTC

eriksjolund

+36 -8

What is the purpose of this change? What does it change? -------------------------------------------------------- Improve security of rest-server.service by restricting network access. This patch improves the overall security assessment score given by `systemd-analyze security rest-server.service` from "1.3 OK" to "0.6 SAFE" (when using systemd-analyze version 253) * Remove `AF_INET AF_INET6` from RestrictAddressFamilies. Sockets originating from socket activation are not affected by the systemd directive RestrictAddressFamilies. See [systemd.exec](https://www.freedesktop.org/software/systemd/man/systemd.exec.html) man page. * Add `PrivateNetwork=yes` as recommended for socket-activated services in the [systemd.socket](https://www.freedesktop.org/software/systemd/man/systemd.socket.html) man page. * Add dependency on rest-server.socket  Was the change discussed in an issue or in the forum before? ------------------------------------------------------------ Yes, in the forum: https://forum.restic.net/t/using-none-instead-of-af-inet-af-inet6-for-restrictaddressfamilies-in-systemd-unit-rest-server-service/6448  Checklist --------- - [x] I have enabled [maintainer edits for this PR](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/allowing-changes-to-a-pull-request-branch-created-from-a-fork) - [ ] I have added tests for all changes in this PR - [ ] I have added documentation for the changes (in the manual) - [x] There's a new file in `changelog/unreleased/` that describes the changes for our users (template [here](https://github.com/restic/rest-server/blob/master/changelog/TEMPLATE)) - [ ] I have run `gofmt` on the code in all commits - [ ] All commit messages are formatted in the same style as [the other commits in the repo](https://github.com/restic/rest-server/commits/master) - [x] I'm done, this Pull Request is ready for review