Giter Club home page Giter Club logo

Comments (5)

DasSkelett avatar DasSkelett commented on July 16, 2024 3

systemd/systemd@bed0b7d

This is not safe. The [nobody] user's main purpose on Linux-based
operating systems is to be the owner of files that otherwise cannot be mapped
to any local user. It's used by the NFS client and Linux user namespacing,
among others. By running a unit's processes under the identity of this user
they might possibly get read and even write access to such files that cannot
otherwise be mapped.

It is strongly recommended to avoid running services under this user identity,
in particular on systems using NFS or running containers. Allocate a user ID
specific to this service, either statically via systemd-sysusers or dynamically
via the DynamicUser= service setting.

from endlessh.

cgzones avatar cgzones commented on July 16, 2024 1

For me the following service configuration works:

[Unit]
Description=Endlessh SSH Tarpit
Documentation=man:endlessh(1)
Requires=network-online.target

[Service]
Type=simple
Restart=always
RestartSec=30sec
ExecStart=/usr/bin/endlessh
KillSignal=SIGTERM

# Stop trying to restart the service if it restarts too many times in a row
StartLimitInterval=5min
StartLimitBurst=4

StandardOutput=journal
StandardError=journal
StandardInput=null

PrivateTmp=true
PrivateDevices=true
ProtectSystem=strict
ProtectHome=true

PrivateUsers=true
DynamicUser=true

NoNewPrivileges=true
ConfigurationDirectory=endlessh
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectClock=true
ProtectKernelLogs=true
ProtectProc=true
ProtectHostname=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true

SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target

from endlessh.

jamespo avatar jamespo commented on July 16, 2024

Good point - but it should not left as it is as it's currently root

from endlessh.

HalJordan avatar HalJordan commented on July 16, 2024

I mean, it looks to me that "nobody" was chosen as an example... couldn't we just make an "endlessh" user for this?

That way if some exploit does make it's way out, they'll have access to that user instead of root, which is the whole point of this suggestion(IMHO).

from endlessh.

jamespo avatar jamespo commented on July 16, 2024

closing

from endlessh.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.