Главная Обзор Помощь
Вход
Apq
/
syncthing
зеркало из https://github.com/syncthing/syncthing.git
1
0
Ответвить 0
Файлы Задачи 0 Вики
Просмотр исходного кода

fix(systemd): support overrides for syncOwnership (#10602)

Syncthing docs in https://docs.syncthing.net/users/autostart.html#permissions
tell the user to set `AmbientCapabilities=CAP_CHOWN CAP_FOWNER` if the
user wishes to use the `syncOwnership` option.

https://github.com/syncthing/syncthing/pull/10421 broke `syncOwnership`
for users that followed that advice because the PR introduced
`CapabilityBoundingSet=` which cancels out any additional capabilities
granted with `AmbientCapabilities`.

(`AmbientCapabilities` _adds_ capabilities; `CapabilityBoundingSet`
_limits_ maximum capabilities to the specified set. Setting
`CapabilityBoundingSet` to an empty list prevents any capabilities from
being acquired in any way.)

This PR fixes the breakage by explicitly setting

    CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER

This does _not_ grant any additional access rights to syncthing if the
user is not explicitly setting `AmbientCapabilities` as well, but it
does loosen the sandbox _a bit_. An attacker compromising the syncthing
process could now more easily expand their access to include
CAP_CHOWN/CAP_FOWNER even if the user is not setting
`AmbientCapabilities`.

Signed-off-by: Val Markovic <[email protected]>
Val Markovic 1 месяц назад
Родитель
55d3b7c5db
Сommit
c4ff02def7
1 измененных файлов с 14 добавлено и 1 удалено
Разделённый вид Показать статистику Diff
  1. 14 1
      etc/linux-systemd/system/[email protected]

+ 14 - 1
etc/linux-systemd/system/[email protected]
Просмотреть файл 

@@ -83,10 +83,23 @@ RestrictRealtime=true
 
 RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 
 # The lifetime limit of (superuser) capabilities that syncthing can acquire.
 
 # This option _restricts_ capabilities.
 
-CapabilityBoundingSet=
 
+#
 
+# NOTE: This is set to `CAP_CHOWN CAP_FOWNER` to avoid breaking users that have
 
+# set `AmbientCapabilities=CAP_CHOWN CAP_FOWNER` to enable the `syncOwnership`
 
+# option as described in:
 
+#   https://docs.syncthing.net/users/autostart.html#permissions
 
+#
 
+# If you do not use the `syncOwnership` option, you can set this to:
 
+#   CapabilityBoundingSet=
 
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
 
 # Start with empty (superuser) capabilities.
 
 # This option _expands_ capabilities.
 
 # AmbientCapabilities should equal CapabilityBoundingSet.
 
+#
 
+# NOTE: IFF you wish to use the `syncOwnership` option, you must set this to:
 
+#   AmbientCapabilities=CAP_CHOWN CAP_FOWNER
 
+# in a systemd drop-in file. Be aware that this gives syncthing the ability to
 
+# change or ignore file ownership across the entire operating system.
 
 AmbientCapabilities=
 
 # Disables `personality` system call; it can be used for privilege escalation.
 
 LockPersonality=true