Insecure systemd services like NetworkManager running as root?

Help
1

I just ran a run0 lynis audit system and it mentioned a lot of vulnerable/insecure systemd services.

- NetworkManager-dispatcher.service (value=9.6)           [ INSECURE ]
- NetworkManager.service (value=7.8)                      [ VULNERABLE ]
- audiobookshelf.service (value=9.2)                      [ INSECURE ]
- dbus.service (value=9.6)                                [ INSECURE ]
- display-manager.service (value=9.6)                     [ INSECURE ]
- emergency.service (value=9.5)                           [ INSECURE ]
- fancontrol.service (value=9.6)                          [ INSECURE ]
- getty@tty1.service (value=9.6)                          [ INSECURE ]
- getty@tty7.service (value=9.6)                          [ INSECURE ]
- libvirtd.service (value=9.6)                            [ INSECURE ]
- mullvad-daemon.service (value=9.6)                      [ INSECURE ]
- nix-daemon.service (value=9.6)                          [ INSECURE ]
- nscd.service (value=8.2)                                [ VULNERABLE ]
- ntpd-rs.service (value=8.3)                             [ VULNERABLE ]
- reload-systemd-vconsole-setup.service (value=9.6)       [ INSECURE ]
- rescue.service (value=9.5)                              [ INSECURE ]
- run-p56404-i56704.service (value=9.6)                   [ INSECURE ]
- scx.service (value=9.6)                                 [ INSECURE ]
- spice-vdagentd.service (value=9.6)                      [ INSECURE ]
- system76-power.service (value=9.6)                      [ INSECURE ]
- system76-scheduler.service (value=9.6)                  [ INSECURE ]
- systemd-ask-password-console.service (value=9.4)        [ INSECURE ]
- systemd-ask-password-wall.service (value=9.4)           [ INSECURE ]
- udisks2.service (value=9.6)                             [ INSECURE ]
- user@1002.service (value=9.4)                           [ INSECURE ]
- virtlockd.service (value=9.6)                           [ INSECURE ]
- virtlogd.service (value=9.6)                            [ INSECURE ]
- virtlxcd.service (value=9.6)                            [ INSECURE ]
- virtqemud.service (value=9.6)                           [ INSECURE ]
- virtvboxd.service (value=9.6)                           [ INSECURE ]
- virtxend.service (value=9.6)                            [ INSECURE ]

As an example, this is how NetworkManager.service looks like:

  NAME                                                        DESCRIPTION                                                        EXPOSURE
βœ— RootDirectory=/RootImage=                                   Service runs within the host's root directory                           0.1
  SupplementaryGroups=                                        Service runs as root, option does not matter                               
  RemoveIPC=                                                  Service runs as root, option does not apply                                
βœ— User=/DynamicUser=                                          Service runs as root user                                               0.4
βœ— NoNewPrivileges=                                            Service processes may acquire new privileges                            0.2
βœ“ CapabilityBoundingSet=~CAP_SYS_TIME                         Service processes cannot change the system clock                           
βœ“ AmbientCapabilities=                                        Service process does not receive ambient capabilities                      
βœ— PrivateDevices=                                             Service potentially has access to hardware devices                      0.2
βœ— ProtectClock=                                               Service may write to the hardware clock or system clock                 0.2
βœ— CapabilityBoundingSet=~CAP_KILL                             Service may send UNIX signals to arbitrary processes                    0.1
  NAME                                                        DESCRIPTION                                                        EXPOSURE
βœ— RootDirectory=/RootImage=                                   Service runs within the host's root directory                           0.1
  SupplementaryGroups=                                        Service runs as root, option does not matter                               
  RemoveIPC=                                                  Service runs as root, option does not apply                                
βœ— User=/DynamicUser=                                          Service runs as root user                                               0.4
βœ— NoNewPrivileges=                                            Service processes may acquire new privileges                            0.2
βœ“ CapabilityBoundingSet=~CAP_SYS_TIME                         Service processes cannot change the system clock                           
βœ“ AmbientCapabilities=                                        Service process does not receive ambient capabilities                      
βœ— PrivateDevices=                                             Service potentially has access to hardware devices                      0.2
βœ— ProtectClock=                                               Service may write to the hardware clock or system clock                 0.2
βœ— CapabilityBoundingSet=~CAP_KILL                             Service may send UNIX signals to arbitrary processes                    0.1
βœ— ProtectKernelLogs=                                          Service may read from or write to the kernel log ring buffer            0.2
βœ— CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER)         Service may override UNIX file/IPC permission checks                    0.2
βœ“ CapabilityBoundingSet=~CAP_BPF                              Service may not load BPF programs                                          
βœ— ProtectControlGroups=                                       Service may modify the control group file system                        0.2
βœ— ProtectKernelModules=                                       Service may load or read kernel modules                                 0.2
βœ— CapabilityBoundingSet=~CAP_SYS_MODULE                       Service may load kernel modules                                         0.2
βœ— CapabilityBoundingSet=~CAP_SYS_CHROOT                       Service may issue chroot()                                              0.1
βœ— SystemCallArchitectures=                                    Service may execute system calls with all ABIs                          0.2
βœ— MemoryDenyWriteExecute=                                     Service may create writable executable memory mappings                  0.1
βœ— RestrictNamespaces=~user                                    Service may create user namespaces                                      0.3
βœ— RestrictNamespaces=~pid                                     Service may create process namespaces                                   0.1
βœ— RestrictNamespaces=~net                                     Service may create network namespaces                                   0.1
βœ— RestrictNamespaces=~uts                                     Service may create hostname namespaces                                  0.1
βœ— RestrictNamespaces=~mnt                                     Service may create file system namespaces                               0.1
βœ— RestrictNamespaces=~cgroup                                  Service may create cgroup namespaces                                    0.1
βœ— RestrictSUIDSGID=                                           Service may create SUID/SGID files                                      0.2
βœ— RestrictNamespaces=~ipc                                     Service may create IPC namespaces                                       0.1
βœ— ProtectHostname=                                            Service may change system host/domainname                               0.1
βœ— CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)                Service may change UID/GID identities/capabilities                      0.3
βœ— LockPersonality=                                            Service may change ABI personality                                      0.1
βœ— ProtectKernelTunables=                                      Service may alter kernel tunables                                       0.2
βœ— RestrictAddressFamilies=~AF_PACKET                          Service may allocate packet sockets                                     0.2
βœ— RestrictAddressFamilies=~AF_NETLINK                         Service may allocate netlink sockets                                    0.1
βœ— RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                      0.1
βœ— RestrictAddressFamilies=~…                                  Service may allocate exotic sockets                                     0.3
βœ— RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                   0.3
βœ— RestrictRealtime=                                           Service may acquire realtime scheduling                                 0.1
βœ— ProtectHome=                                                Service has read-only access to home directories                        0.1
βœ“ CapabilityBoundingSet=~CAP_SYS_RAWIO                        Service has no raw I/O access                                              
βœ“ CapabilityBoundingSet=~CAP_SYS_PTRACE                       Service has no ptrace() debugging abilities                                
βœ“ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE)              Service has no privileges to change resource use parameters                
βœ— DeviceAllow=                                                Service has no device ACL                                               0.2
βœ“ CapabilityBoundingSet=~CAP_SYS_ADMIN                        Service has no administrator privileges                                    
βœ“ CapabilityBoundingSet=~CAP_SYSLOG                           Service has no access to kernel logging                                    
βœ— CapabilityBoundingSet=~CAP_NET_ADMIN                        Service has network configuration privileges                            0.2
βœ— ProtectSystem=                                              Service has limited write access to the OS file hierarchy               0.1
βœ— ProtectProc=                                                Service has full access to process tree (/proc hidepid=)                0.2
βœ— ProcSubset=                                                 Service has full access to non-process /proc files (/proc subset=)      0.1
βœ— CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges                              0.1
βœ— CapabilityBoundingSet=~CAP_AUDIT_*                          Service has audit subsystem access                                      0.1
βœ— PrivateNetwork=                                             Service has access to the host's network                                0.5
βœ— PrivateUsers=                                               Service has access to other users                                       0.2
βœ— PrivateTmp=                                                 Service has access to other software's temporary files                  0.2
βœ“ KeyringMode=                                                Service doesn't share key material with other services                     
βœ“ Delegate=                                                   Service does not maintain its own delegated control group subtree          
βœ— SystemCallFilter=~@clock                                    Service does not filter system calls                                    0.2
βœ— SystemCallFilter=~@cpu-emulation                            Service does not filter system calls                                    0.1
βœ— SystemCallFilter=~@debug                                    Service does not filter system calls                                    0.2
βœ— SystemCallFilter=~@module                                   Service does not filter system calls                                    0.2
βœ— SystemCallFilter=~@mount                                    Service does not filter system calls                                    0.2
βœ— SystemCallFilter=~@obsolete                                 Service does not filter system calls                                    0.1
βœ— SystemCallFilter=~@privileged                               Service does not filter system calls                                    0.2
βœ— SystemCallFilter=~@raw-io                                   Service does not filter system calls                                    0.2
βœ— SystemCallFilter=~@reboot                                   Service does not filter system calls                                    0.2
βœ— SystemCallFilter=~@resources                                Service does not filter system calls                                    0.2
βœ— SystemCallFilter=~@swap                                     Service does not filter system calls                                    0.2
βœ— IPAddressDeny=                                              Service does not define an IP address allow list                        0.2
βœ“ NotifyAccess=                                               Service child processes cannot alter service state                         
βœ“ CapabilityBoundingSet=~CAP_SYS_PACCT                        Service cannot use acct()                                                  
βœ“ CapabilityBoundingSet=~CAP_WAKE_ALARM                       Service cannot program timers that wake up the system                      
βœ“ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE                  Service cannot mark files immutable                                        
βœ“ CapabilityBoundingSet=~CAP_IPC_LOCK                         Service cannot lock memory into RAM                                        
βœ“ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG                   Service cannot issue vhangup()                                             
βœ“ CapabilityBoundingSet=~CAP_SYS_BOOT                         Service cannot issue reboot()                                              
βœ“ PrivateMounts=                                              Service cannot install system mounts                                       
βœ“ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND                    Service cannot establish wake locks                                        
βœ“ CapabilityBoundingSet=~CAP_LEASE                            Service cannot create file leases                                          
βœ“ CapabilityBoundingSet=~CAP_MKNOD                            Service cannot create device nodes                                         
βœ“ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP)           Service cannot change file ownership/access mode/capabilities              
βœ“ CapabilityBoundingSet=~CAP_MAC_*                            Service cannot adjust SMACK MAC                                            
βœ— UMask=                                                      Files created by service are world-readable by default                  0.1

β†’ Overall exposure level for NetworkManager.service: 7.8 EXPOSED πŸ™

(btw funny that they use Emojis)

So what to do about this? I am sure it is not good manner to run all these services as root

2

Nothing, looks like a shitty tool to me. It flags getty of all things also complains that network manager is not in a private network namespace, well yes, it has to manage network devices.

2 Likes
3

It’s just a wrapper around systemd-analyze security $unit afaict. And while yes, doesn’t know anything about what the service does, most services don’t need most things, so you can get to a β€œnon-exposed” score typically by restricting the stuff the service doesn’t need.

Not perfect, but it’s pretty handy, I point it all the time at services I write.

EDIT: for instance protect home seems like it should be settable for network manager, along with a bunch of syscall filtering.

1 Like
4

The thing about such tools is people inexperienced in security massively misunderstand them, thinking anything they flag as insecure is inherently bad.

1 Like
5

Yeah analyze security is a valid tool, but the wrapper seems to pretend like anything flagged by it is a problem.

6

Is there something like a minimalistic and hardened version of nixos for people (like me) who are not savvy enough to harden it themselves?

7

Some services need root privileges and will not function with better hardening. You can research these services online and see if there are any ways to run them more securely.

All of these services can be configured with systemd.services.<name>, so you can experiment with further hardening.

Many systemd units in Nixpkgs already have good security settings, often with the settings recommended by upstream, but there are plenty that can be improved.

2 Likes
8

This output does not mean NixOS or these services are vulnerable. This tool is only reporting how well sandboxed the systemd unit is, it knows nothing about the security of the actual program being run by the service.

9

Thanks for your answer. I appreciate your tips for learning more about hardening nixos or linux in general. I might want to put it on my list, if I ever manage to learn just using it properly. :blush: I only would install a hardened and minimalistic version of nixos as a baseline, if there would be something like it.

10

There is a hardened profile for nixos, which could be used as a baseline, but I have no idea how much stuff just doesn’t work because of the hardening. There’s a reason these things aren’t the default.

2 Likes
11

Those services will be running as root on 99% of GNU/Linux distributions. This tool is useful to understand the level of hardening that has been applied to a systemd service, but the vulnerable or insecure label are utter nonsense.

So what to do about this? I am sure it is not good manner to run all these services as root

Yes, it would be better to not run them as root.

What you could do about it is do what I have done, for example, with dhcpcd. Spend a couple of weeks studying what the program does (which files it needs with write access, which as read-only, whether it opens network sockets, configures the kernel via netlink, etc.) and which capabilities it needs (if they exists), then try to harden it, add workarounds using polkit or sudo if needed and make sure you don’t break any common workflow.

Then, open a pull request in Nixpkgs and wait for reviews. And if it gets merged, go to the next service in line.

2 Likes
12

Many thanks for all your answers. I will go with the default nixos distro for the moment. Maybe I will try out the hardened one eventually. I just wanted to know if there is a minimal high secure (or in my case a paranioc one) profile I could use. Honestly, as a newbie I have more than enough to do with understanding the basics of nix and nixos, don’t need to complicate things with stuff I don’t understand either. Thanks again and may you all have a great time.

13

afaik this is not always true

I remember Arch running SDDM as root, while Fedora runs SDDM as it’s own user.

In most cases, root should be possible to replace with a user with specific privileges.

Nice thread, will keep the infos in mind and see what hardening makes sense and how it can be upstreamed

1 Like