From 6bdee24c4a93b472b98ec389635d755dda275c04 Mon Sep 17 00:00:00 2001 From: Dante Date: Fri, 17 Nov 2023 12:11:13 +0100 Subject: [PATCH] Fix restore script, linter issues and harden systemd script --- conf/systemd.service | 34 ++++++++++++++++++++++++++++++++++ scripts/restore | 11 ----------- scripts/upgrade | 2 -- 3 files changed, 34 insertions(+), 13 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index d6ce26a..d6b201f 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -9,5 +9,39 @@ Group=__APP__ WorkingDirectory=__INSTALL_DIR__/ ExecStart=__INSTALL_DIR__/bin/python3 -m mautrix_telegram +# Optional hardening to improve security +ReadWritePaths=__INSTALL_DIR__/ /var/log/__APP__ +NoNewPrivileges=yes +MemoryDenyWriteExecute=true +PrivateDevices=yes +PrivateTmp=yes +ProtectHome=yes +ProtectSystem=strict +ProtectControlGroups=true +RestrictSUIDSGID=true +RestrictRealtime=true +LockPersonality=true +ProtectKernelLogs=true +ProtectKernelTunables=true +ProtectHostname=true +ProtectKernelModules=true +PrivateUsers=true +ProtectClock=true +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/scripts/restore b/scripts/restore index 3809fbf..c709920 100755 --- a/scripts/restore +++ b/scripts/restore @@ -42,17 +42,6 @@ ynh_script_progression --message="Restoring the PostgreSQL database..." --weight ynh_psql_execute_file_as_root --file="./db.sql" --database=$db_name -#================================================= -# INSTALL MAUTRIX-BRIDGE PYTHON MODULE -#================================================= -ynh_script_progression --message="Installing Mautrix-Bridge Python Module..." --weight=6 - -mkdir -p /var/log/$app -# Configure Mautrix-Bridge -python3 -m venv $install_dir -export HOME=$install_dir -$install_dir/bin/pip3 install --upgrade pip setuptools wheel - #================================================= # REGISTER SYNAPSE APP-SERVICE #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index d5e9e84..58e4c60 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -84,8 +84,6 @@ ynh_backup_if_checksum_is_different --file="$install_dir/config.yaml" # as_token hs_token are autogenerated, save them before regenerating the config as_token=$(grep "as_token:" "$install_dir/config.yaml" | sed -r "s/ *as_token: *//") hs_token=$(grep "hs_token:" "$install_dir/config.yaml" | sed -r "s/ *hs_token: *//") -# ynh_replace_string --match_string=__AS_TOKEN__ --replace_string="$as_token" --target_file="$install_dir/config.yaml" -# ynh_replace_string --match_string=__HS_TOKEN__ --replace_string="$hs_token" --target_file="$install_dir/config.yaml" is_encryption_enabled="$encryption" if [ $encryption -eq 1 ]; then