protect local admin socket, harden service file

2021-02-12 21:18:10 +00:00 · 2021-02-12 21:18:10 +00:00 · 991010fd69
commit 991010fd69
parent 74f9190cc1
6 changed files with 118 additions and 48 deletions
--- a/next/Caddyfile
+++ b/next/Caddyfile
@ -1,28 +1,40 @@
 # The Caddyfile is an easy way to configure your Caddy web server.
 #
-# Unless the file starts with a global options block, the first
-# uncommented line is always the address of your site.
+# https://caddyserver.com/docs/caddyfile
 #
+# The configuration below serves a welcome page over HTTP on port 80.
 # To use your own domain name (with automatic HTTPS), first make
 # sure your domain's A/AAAA DNS records are properly pointed to
 # this machine's public IP, then replace the line below with your
 # domain name.
-:80
+#
+# https://caddyserver.com/docs/caddyfile/concepts#addresses

-# Set this path to your site's directory.
-root * /usr/share/caddy
+{
+	# Restrict the admin interface to a local unix file socket whose directory
+	# is restricted to caddy:caddy. By default the TCP socket allows arbitrary
+	# modification for any process and user that has access to the local
+	# interface. If admin over TCP is turned on one should make sure
+	# implications are well understood.
+	admin "unix//run/caddy/admin.socket"
+}

-# Enable the static file server.
-file_server
+http:// {
+	# Set this path to your site's directory.
+	root * /usr/share/caddy
+
+	# Enable the static file server.
+	file_server
+
+	# Another common task is to set up a reverse proxy:
+	# reverse_proxy localhost:8080
+
+	# Or serve a PHP site through php-fpm:
+	# php_fastcgi localhost:9000
+
+	# Refer to the directive documentation for more options.
+	# https://caddyserver.com/docs/caddyfile/directives
+}

 # Import additional caddy config files in /etc/caddy/conf.d/
 import /etc/caddy/conf.d/*
-
-# Another common task is to set up a reverse proxy:
-# reverse_proxy localhost:8080
-
-# Or serve a PHP site through php-fpm:
-# php_fastcgi localhost:9000
-
-# Refer to the Caddy docs for more information:
-# https://github.com/caddyserver/caddy/wiki/v2:-Documentation
--- a/next/PKGBUILD
+++ b/next/PKGBUILD
@ -23,14 +23,16 @@ source=("git+https://github.com/caddyserver/caddy#tag=${_gitcommit}?signed"
        caddy-api.service
        caddy.tmpfiles
        caddy.sysusers
-        Caddyfile)
+        Caddyfile
+        use-data-dir-for-autosave.patch)
 sha512sums=('SKIP'
            '2abccd41f770daebf61285dc017249f20c707877ea3c870f4a2375bbbd2bf481a8652d1fd3c7afd7d6b5c54838e9d8474a33e2c9790ef67dcf9d79c4e52953b4'
-            '6333b18707ed59283fc8e64870a7deb484042b4e32a005ee25a1d409b114fd6f55768e10af0d26f112edd16dd20ab579796441e82cf78d6bc9656296f69bff3e'
-            '1b55382e1a98ee3b26a092c0f5f7cd24c2e50dcac294c7c2eb764573eb2ae2a097ca93dbae0d7dacc4a2767539e11ea7a8143ad549f692044f87bb05e21d60a1'
-            '997e6e72bd02355f1139e2875eb190ed9e6fa8c1e72cea7824df764d1264e0925aeccb354cd939c1bf0c0803820a6f3d6c571fb89ce18491b9f4b196c3f5de06'
+            'd162f16e16be1673f11c384b79505b82fedbecacea77c2e64303b573aa982ace5706fb74eb7d0b219c5935427459537b685832357aed5ee48345648f439bf274'
+            'a4d9bbcccf3c6fe9be2b7ba98214d579ecd40991c5cc520ca1d105f307b31622f1c6b5a6cd7a4e8b32ccd2a229ed70115cba9c507baa413803897b7183f9abe0'
+            '55ee8d3f8b14f9adddc7a1026addcea4f85b4bae4cd512fd4da2a5e8adaae4b6fd0f486d2e3847f75518f4710a897b4fca84e48ee15700b968bad762125c4742'
            'c893d88fec89e37da6596030c8dce7103e7e575371e8542a24d2a0741e877358d85219f2d8ade9d6aa0f515efe1156a4badd9fef5f65f553a5b0c72330c4728f'
-            '399c177475e299bf5736dba1a9d045477072594390b73c7dd2e13e12785abe029d48e480aee98216f7a8735addd353ce4a07b56ed14364f641b138e4fca0ebcd')
+            '716da3f4edeb3561243aeaf5c32b01ff7a4ac810b6deba8364fb12a1f71b6a5278c34a97b289bcfdc48784679b942bf780f1f36d416a575791168c94b0d59fe0'
+            '563d6b45e91fc584fb5a27caaa382f59c140cb0a1b28b8d8faced4f7c7cad86d8671eb6ac10056f41518a842c8f606130d7e0c71df2b731d5eb0b4c868ea5d41')
 validpgpkeys=(
  29D0817A67156E4F25DC24782A349DD577D586A5 # Matthew Holt <mholt@users.noreply.github.com>
 )
@ -41,7 +43,9 @@ pkgver() {
 }

 prepare() {
+  cd "${pkgname}"
  sed 's|/var/www/html|/srv/http|g' -i "${srcdir}/index.html"
+  patch -Np1 < "${srcdir}/use-data-dir-for-autosave.patch"
 }

 build() {
@ -70,3 +74,5 @@ package() {
  install -d "${pkgdir}/etc/caddy/conf.d"
  install -Dm 644 "${srcdir}/index.html" "${pkgdir}/usr/share/caddy/index.html"
 }
+
+# vim: ts=2 sw=2 et:
--- a/next/caddy-api.service
+++ b/next/caddy-api.service
@ -27,26 +27,36 @@ ExecStart=/usr/bin/caddy run --environ --resume
 Restart=on-abnormal

 # Use graceful shutdown with a reasonable timeout
-KillMode=mixed
-KillSignal=SIGQUIT
 TimeoutStopSec=5s

 LimitNOFILE=1048576
 LimitNPROC=512

 # Hardening options
-PrivateTmp=true
-PrivateDevices=true
-ProtectHome=true
-ProtectSystem=strict
-ReadWritePaths=/var/lib/caddy /var/log/caddy
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
-NoNewPrivileges=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectControlGroups=true
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+DevicePolicy=closed
 LockPersonality=true
+MemoryAccounting=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RemoveIPC=true
+ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true

 [Install]
 WantedBy=multi-user.target
--- a/next/caddy.service
+++ b/next/caddy.service
@ -14,7 +14,7 @@
 # `caddy run` command or use the caddy-api.service file instead.

 [Unit]
-Description=Caddy webserver
+Description=Caddy web server
 Documentation=https://caddyserver.com/docs/
 After=network-online.target
 Wants=network-online.target systemd-networkd-wait-online.service
@ -26,34 +26,45 @@ User=caddy
 Group=caddy
 Environment=XDG_DATA_HOME=/var/lib
 Environment=XDG_CONFIG_HOME=/etc
-ExecStart=/usr/bin/caddy run --adapter caddyfile --environ --config /etc/caddy/Caddyfile
-ExecReload=/usr/bin/caddy reload --adapter caddyfile --config /etc/caddy/Caddyfile
+ExecStartPre=/usr/bin/caddy validate --config /etc/caddy/Caddyfile
+ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
+ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile

 # Do not allow the process to be restarted in a tight loop. If the
 # process fails to start, something critical needs to be fixed.
 Restart=on-abnormal

 # Use graceful shutdown with a reasonable timeout
-KillMode=mixed
-KillSignal=SIGQUIT
 TimeoutStopSec=5s

 LimitNOFILE=1048576
 LimitNPROC=512

 # Hardening options
-PrivateTmp=true
-PrivateDevices=true
-ProtectHome=true
-ProtectSystem=strict
-ReadWritePaths=/var/lib/caddy /var/log/caddy
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
-NoNewPrivileges=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectControlGroups=true
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+DevicePolicy=closed
 LockPersonality=true
+MemoryAccounting=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RemoveIPC=true
+ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true

 [Install]
 WantedBy=multi-user.target
--- a/next/caddy.tmpfiles
+++ b/next/caddy.tmpfiles
@ -1,2 +1,3 @@
 d /var/lib/caddy 0750 caddy caddy
 d /var/log/caddy 0750 caddy caddy
+d /run/caddy 0750 caddy caddy
--- a/next/use-data-dir-for-autosave.patch
+++ b/next/use-data-dir-for-autosave.patch
@ -0,0 +1,30 @@
+From e3a60a8058d2c75c9bc47f550351d0008aefb314 Mon Sep 17 00:00:00 2001
+From: anthraxx <levente@leventepolyak.net>
+Date: Fri, 12 Feb 2021 19:23:50 +0100
+Subject: [PATCH] storage: use data dir for autosave.json as /etc is write
+ protected
+
+This is more a state file instead of a custom file as caddy also
+persists this. We do not want to have any files in /etc being mapped
+writable, not even the /etc/caddy directory, hence move the persisted
+autosave.json state to the actual application data directory.
+---
+ storage.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/storage.go b/storage.go
+index 62f9b1c6..5babea79 100644
+--- a/storage.go
+++ b/storage.go
+@@ -154,7 +154,7 @@ func AppDataDir() string {
+ }
+ 
+ // ConfigAutosavePath is the default path to which the last config will be persisted.
+-var ConfigAutosavePath = filepath.Join(AppConfigDir(), "autosave.json")
+var ConfigAutosavePath = filepath.Join(AppDataDir(), "autosave.json")
+ 
+ // DefaultStorage is Caddy's default storage module.
+ var DefaultStorage = &certmagic.FileStorage{Path: AppDataDir()}
+-- 
+2.30.0
+