Utilize DynamicUser in systemd

zerotier / ZeroTierOne

A Smart Ethernet Switch for Earth

https://zerotier.com

Other

14.16k stars 1.65k forks source link

Utilize DynamicUser in systemd #1285

Closed aadnehovda closed 3 years ago

aadnehovda commented 3 years ago

Desktop:

OS: From Debian Buster/Ubuntu Bionic/Fedora 28/CentOS 8
ZeroTier 1.4.6

With systemd's support for dynamic users (http://0pointer.net/blog/dynamic-users-with-systemd.html), you can drop both the static system user added during installation and the capabilities drop and user switching in the service itself. It also creates and manages permissions on /var/lib/zerotier-one and other service specific folders. Available since systemd v235.

Example unit file:


Description=ZeroTier One
After=network-online.target

[Service]
ExecStart=/usr/sbin/zerotier-one -U
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
DynamicUser=yes

# User= defaults to the service name if not specified
User=zerotier-one 

[Install]
WantedBy=multi-user.target

adamierymenko commented 3 years ago

This is cool, but unfortunately we support many distributions including those with older systemd. This would further complicate the build process, requiring different systemd unit files for different distributions. So probably not now, but maybe once those older distributions are fully obsolete and no longer supported.

proletarius101 commented 2 years ago

Just want to add a side note in case someone wants to override zerotier's systemd unit to achieve such a feature. Since /var/lib/zerotier-one and its contents created by zerotier-cli are owned by user zerotier-one and are read-only by non-owner users, the zerotier daemon will warn

WARNING: unable to write to file: /var/lib/zerotier-one/networks.d/***.conf (unable to open)

To solve such an issue, we also need

ReadWritePaths=/var/lib/zerotier-one

So in summary, if you override the systemd unit with

sudo systemctl edit zerotier-one.service

you will need to write (with further hardening)

[Service]
ExecStart=
ExecStart=/usr/sbin/zerotier-one -U
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
DynamicUser=yes
ReadWritePaths=/var/lib/zerotier-one

# Further hardening
ProtectHome=true
NoNewPrivileges=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectProc=invisible
RestrictNamespaces=yes

aadnehovda commented 2 years ago

ReadWritePaths should not be necessary on systemd v235+. The directory /var/lib/private/zerotier-one and corresponding symlink /var/lib/zerotier-one will be automatically created and the correct permissions set whenever the service is first started. Try to start from scratch -- delete /var/lib/private/zerotier-one, /var/lib/zerotier-one (keep a backup of the identity/secret) and remove the static zerotier-one user and group (assuming they were installed by an rpm/deb package). When I tried this setup last time, the only things I used were the zerotier-one executable and a zerotier-one.service file on an otherwise clean system.

AFAICT, NoNewPrivileges=yes is implied by DynamicUser and can be skipped.