diff --git a/conf/guacd.service b/conf/guacd.service index ea1c52a..3b30a0f 100644 --- a/conf/guacd.service +++ b/conf/guacd.service @@ -11,5 +11,33 @@ Restart=on-abnormal Environment="LD_LIBRARY_PATH=__FINALPATH__/lib:__FINALPATH__/usr/lib" Environment="GUACAMOLE_HOME=__FINALPATH__/etc/guacamole" +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/conf/tomcat9_deb.src b/conf/tomcat9_deb.src index ba35364..c7cf78a 100644 --- a/conf/tomcat9_deb.src +++ b/conf/tomcat9_deb.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://ftp.debian.org/debian/pool/main/t/tomcat9/tomcat9_9.0.31-1~deb10u4_all.deb -SOURCE_SUM=42276CABAD11856553DD9265B8C7FBCCE245525BF80EAF180085AB74BB078619 +SOURCE_URL=https://ftp.debian.org/debian/pool/main/t/tomcat9/tomcat9_9.0.31-1~deb10u6_all.deb +SOURCE_SUM=9fc770b3cb32bacd22e6e48ea4539985173e523545f799dc207ea4316a8402e9 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=ar SOURCE_IN_SUBDIR=false diff --git a/manifest.json b/manifest.json index 6ced031..a9fc38a 100644 --- a/manifest.json +++ b/manifest.json @@ -31,8 +31,7 @@ "install" : [ { "name": "domain", - "type": "domain", - "example": "example.com" + "type": "domain" }, { "name": "path", @@ -42,8 +41,7 @@ }, { "name": "admin", - "type": "user", - "example": "johndoe" + "type": "user" }, { "name": "is_public", diff --git a/scripts/install b/scripts/install index 89746af..82f2412 100755 --- a/scripts/install +++ b/scripts/install @@ -226,13 +226,13 @@ ynh_add_systemd_config --service="$app-tomcat" --template="tomcat.service" #================================================= # Set permissions to app files -chown -R root:root $final_path +chown -R nobody $final_path chmod -R o-rwx $final_path setfacl -n -R -m user:$app-guacd:rx -m default:user:$app-guacd:rx $final_path setfacl -n -R -m user:$app-tomcat:rx -m default:user:$app-tomcat:rx $final_path chown -R $app-guacd:$app-guacd "/var/log/$app/guacd/" chown -R $app-tomcat:$app-tomcat "/var/log/$app/tomcat/" -chown -R root:$app-tomcat "$final_path/etc/tomcat9/" "$final_path/etc/guacamole/" +chown -R nobody:$app-tomcat "$final_path/etc/tomcat9/" "$final_path/etc/guacamole/" chown -R "$app-tomcat":"$app-tomcat" "$final_path/var/lib/tomcat9/webapps" setfacl -n -R -m user:$app-guacd:- -m default:user:$app-guacd:- "$final_path/var/lib/tomcat9/" "$final_path/etc/guacamole/" "$final_path/etc/tomcat9/" diff --git a/scripts/restore b/scripts/restore index fccdf1d..2cb58bf 100755 --- a/scripts/restore +++ b/scripts/restore @@ -38,8 +38,6 @@ db_user=$db_name #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=1 -ynh_webpath_available --domain=$domain --path_url=$path_url \ - || ynh_die --message="Path not available: ${domain}${path_url}" test ! -d $final_path \ || ynh_die --message="There is already a directory: $final_path " @@ -110,11 +108,11 @@ fi #================================================= # Restore permissions on app files -chown -R root:root $final_path +chown -R nobody $final_path chmod -R o-rwx $final_path setfacl -n -R -m user:$app-guacd:rx -m default:user:$app-guacd:rx $final_path setfacl -n -R -m user:$app-tomcat:rx -m default:user:$app-tomcat:rx $final_path -chown -R root:$app-tomcat "$final_path/etc/tomcat9/" "$final_path/etc/guacamole/" +chown -R nobody:$app-tomcat "$final_path/etc/tomcat9/" "$final_path/etc/guacamole/" chown -R "$app-tomcat":"$app-tomcat" "$final_path/var/lib/tomcat9/webapps" setfacl -n -R -m user:$app-guacd:- -m default:user:$app-guacd:- "$final_path/var/lib/tomcat9/" "$final_path/etc/guacamole/" "$final_path/etc/tomcat9/" diff --git a/scripts/upgrade b/scripts/upgrade index f468777..8034f77 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -201,13 +201,13 @@ ynh_add_systemd_config --service="$app-tomcat" --template="tomcat.service" #================================================= # Set permissions on app files -chown -R root:root $final_path +chown -R nobody $final_path chmod -R o-rwx $final_path setfacl -n -R -m user:$app-guacd:rx -m default:user:$app-guacd:rx $final_path setfacl -n -R -m user:$app-tomcat:rx -m default:user:$app-tomcat:rx $final_path chown -R $app-guacd:$app-guacd "/var/log/$app/guacd/" chown -R $app-tomcat:$app-tomcat "/var/log/$app/tomcat/" -chown -R root:$app-tomcat "$final_path/etc/tomcat9/" "$final_path/etc/guacamole/" +chown -R nobody:$app-tomcat "$final_path/etc/tomcat9/" "$final_path/etc/guacamole/" chown -R "$app-tomcat":"$app-tomcat" "$final_path/var/lib/tomcat9/webapps" setfacl -n -R -m user:$app-guacd:- -m default:user:$app-guacd:- "$final_path/var/lib/tomcat9/" "$final_path/etc/guacamole/" "$final_path/etc/tomcat9/"