Ideas for improving exozyme security #175

New issue

Closed

opened 2022-08-05 20:28:40 +00:00 by a · 0 comments

a commented 2022-08-05 20:28:40 +00:00

Owner

Copy link

This is a huge list of ideas that @ersei and I came up with in #general:exozy.me for improving the server's security.

• AppArmor

• Give services CAP_NET_ADMIN and have them listen below port 1024 to prevent port hijacking like in #172

• Uninstall cronie so boot-time cron jobs can't hijack ports

• Isolate services using systemd sandboxing

• Chroot/container isolation?

• Per-user limits on number of processes, CPU, memory usage, similar to #38

• Configure systemd-oomd to not kill important processes

• Getting rid of the passwords still hashed with salted SHA1

• #181

If you have any other ideas feel free to reply!

This is a huge list of ideas that @ersei and I came up with in #general:exozy.me for improving the server's security. - [ ] AppArmor - [ ] Give services CAP_NET_ADMIN and have them listen below port 1024 to prevent port hijacking like in #172 - [x] Uninstall cronie so boot-time cron jobs can't hijack ports - [ ] Isolate services using systemd sandboxing - [ ] Chroot/container isolation? - [ ] Per-user limits on number of processes, CPU, memory usage, similar to #38 - [ ] Configure systemd-oomd to not kill important processes - [ ] Getting rid of the passwords still hashed with salted SHA1 - [x] #181 If you have any other ideas feel free to reply!

a added this to the v9.0 milestone 2022-08-05 20:28:40 +00:00

a added the

enhancement

help wanted

security

labels 2022-08-05 20:28:40 +00:00

a added this to the (deleted) project 2022-08-05 20:28:40 +00:00

a added a new dependency 2022-09-15 00:28:42 +00:00

#181 Idea: Make Woodpecker CI pipelines run as the user that triggered it instead of the woodpecker-agent user

a closed this issue 2022-09-25 23:04:57 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

v9.0

v8.8

v8.7

v8.6

v8.5

v8.4

v8.3

v8.2

v8.1

v8.0

v7.10

v7.9

v7.8

v7.7

v7.6

v7.5

v7.4

v7.3

v7.2

v7.1

v7.0

v6.1

v6.0

v5.1

v5.0

v4.2

v4.1

v4.0

v3.0

v2.5

v2.4

v2.3

v2.2

v2.1

v2.0

v1.3

v1.2

v1.1

v1.0

v0.3-beta

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

security

Security vulnerability

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

invalid

question

security

wontfix

Milestone

Clear milestone

No items

No milestone

v9.0

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Depends on

#181 Idea: Make Woodpecker CI pipelines run as the user that triggered it instead of the woodpecker-agent user

exozyme/exozyme

Reference: exozyme/exozyme#175

No description provided.