YunoHost/package_linter
1
0
Fork 0
mirror of https://github.com/YunoHost/package_linter.git synced 2024-09-03 20:06:12 +02:00
Code Issues Projects Releases Packages Wiki Activity

Encourage to harden systemd configuration

Browse source
This commit is contained in:
Alexandre Aubin 2021-09-29 17:37:23 +02:00
parent 5b6cde0562
commit ab8696322d
1 changed files with 19 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
package_linter.py
View file

@ -770,6 +770,25 @@ class Configurations(TestSuite):
if any(match[1] in ["root", "www-data"] for match in matches):
yield Warning("DO NOT run the app's systemd service as root or www-data! Use a dedicated system user for this app! If your app requires administrator priviledges, you should consider adding the user to the sudoers (and restrict the commands it can use!)")
@test()
def systemd_config_harden_security(self):
app = self.app
for filename in os.listdir(app.path + "/conf") if os.path.exists(app.path + "/conf") else []:
# Ignore subdirs or filename not containing nginx in the name
if not filename.endswith(".service"):
continue
if os.system(f"grep -q '^ *CapabilityBoundingSet=' '{app.path}/conf/{filename}'") != 0 \
or os.system(f"grep -q '^ *Protect.*=' '{app.path}/conf/{filename}'") != 0 \
or os.system(f"grep -q '^ *SystemCallFilter=' '{app.path}/conf/{filename}'") != 0 \
or os.system(f"grep -q '^ *PrivateTmp=' '{app.path}/conf/{filename}'") != 0:
yield Info(f"You are encouraged to harden the security of the systemd configuration {filename}. You can have a look at https://github.com/YunoHost/example_ynh/blob/master/conf/systemd.service#L14-L42 for a baseline.")
@test()
def php_config_specific_user(self):