[RFC] Hardening tinc systemd service
Oleksandr Natalenko
oleksandr at natalenko.name
Tue Apr 6 23:31:27 CEST 2021
Hello.
On Tue, Apr 06, 2021 at 10:28:17PM +0100, Graham Cobb wrote:
> On 06/04/2021 20:09, Oleksandr Natalenko wrote:
> > (resending after ml approval)
> >
> > Hello.
> >
> > I'm currently working on hardening the tinc's systemd service file.
> >
> > Here are the principles I'm following:
> >
> > 1. employing all the hardening knobs possible as per
> > `systemd-analyze security tinc@` output for the latest systemd stable
> > release available
> > 2. running tincd on behalf of dynamic non-root user so that no static
> > user creation is needed; a user per network is used
> > 3. making the current host keys, both public and private, a part of
> > state, not a configuration; in systemd's terms it means that the keys
> > of the current host should move under /var/lib, while /etc stays
> > immutable
>
> Personally, I'm not keen on that. To me, the keys are config data. Where
> they are generated is completely separate from where they are used. It
> depends on which direction and/or tools are being used for moving them
> around. For example, sometimes I may generate the keys for a client on
> the central router (or even a third system) and copy them from there to
> the client. Because of firewalls and/or NAT, clients often do not have
> SSH access into the router except over tinc, but SSH access from the
> central router out to the client may be easier to set up in some
> circumstances.
>
> I would also like to be sure the node's private key is deleted by just
> deleting /etc/tinc, not go looking for it somewhere in /var/lib.
>
> And on some systems I backup /etc but do not back up /var/lib. Losing
> tinc just because a file has been corrupted would be a pain to recover.
>
> Of course, I realise I can do everything I need to with your approach,
> but it just makes my life harder and breaks my conceptual model of where
> the configuration data lives.
>
> Just my personal view.
Just to reflect on this quickly: I do not suggest amending defaults.
Things may and probably should what they are by default, but there
should be new configuration options to amend hard-coded paths.
This is really all I ask about. So you should be safe :).
Thanks for your opinion!
--
Oleksandr Natalenko (post-factum)
More information about the tinc
mailing list