New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Harden a bit the systemd unit. #10205
base: master
Are you sure you want to change the base?
Conversation
Integration Tests Selenium LinuxAmdx64: Failed
|
Jackett on linux systems currently uses /.config/Jackett as the location for its Indexers and DataProtection folders, and its logs files. |
ngosang will have a much better idea than me, so I'll leave this one to them, but looking at the provided documentation, something similar (without breaking Jackett) may be possible using:
|
This has to be reviewed carefully. There are a lot of distributions out there with old Systemd versions. I will take this but I want to work on #9029 first. |
It would be even possible to apply
which makes everything R/O, then
|
I don't have much to say about that. I committed with the security but I'm not sure if this will cause issues for other users. We have thousands of users running Jackett in NAS, routers, SBC... If you are paranoid about security it will be better to run Jackett in a sandbox, cage or even in a root-less Docker. Archlinux community also cares about security and they don't have those parameters => https://aur.archlinux.org/cgit/aur.git/tree/jackett.service?h=jackett @jvoisin @MichaIng probably you know more than me about systemd. If you both agree in the solution, combine all the changes in one PR and it will be reviewed and merged. If some user complains it will be reverted until it's fixed.
Yes. |
@ngosang ProtectSystem=strict
ProtectHome=true
PrivateDevices=true
PrivateTmp=true
ProtectKernelTunables=true
ProtectControlGroups=true
ReadWritePaths=-/opt/jackett Quite similar. ProtectKernelModules and NoNewPrivileges should be safe to enable as well, based on what Jackett needs to do. We additionally set ProtectControlGroups, which I would suggest here as well. Those are all not mandatory, of course, but each of them adds a tiny bit of security, which does not hurt, just in case the Jackett binary is corrupted harmlessly and/or running user unexpectedly has more privileges than required/intended, like Not everyone who cares about security knows or has sufficient experience with those systemd hardenings, so I wouldn't take it as argument against it that the specific Arch AUR package maintainer(s) do(es) not implement them. In case of Jackett it is quite simple since it doesn't require write access to anywhere aside of its install and data dir (right?). The only issue we faced with Btw. on systemd unknown directives are just ignored with a warning in logs, so older systemd versions which do not support those (or all of them) yet will just continue to work as before. |
ProtectDevices=yes | ||
ProtectKernelModules=yes | ||
ProtectKernelTunables=yes | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectControlGroups=
ProtectControlGroups=yes | |
Jackett's user-customisable |
Ah, I didn't know about that. Jackett downloads and stores magnet files into this dir, i.e. requires write access, right? In this case, for the official systemd unit, it is then better to stay with |
I would guess most users don't use it, but for those who do, torrents are downloaded to wherever they set it (e.g. their client's watch directory). |
- DietPi-Software | Jackett: Add some additional systemd service hardening: Jackett/Jackett#10205 - RC up
hello everyone, I did the installation, but something went wrong, I want to completely clean the system from jackett and try again, I use ubuntu tell me the command how to do it |
I'm using this and it works fine
It's pretty much all hardening you can do. Can't use
Note I have my |
See https://www.redhat.com/sysadmin/mastering-systemd for details.