exozyme/exozyme
4
12
Fork 1
Code Issues 1 Pull requests Projects Releases 39 Wiki Activity
Page: Security
Pages
Authentication CI Calibre-Web Code hosting Community events Containers Distrobox GPGPU Home Jupyter Navidrome Nix Remote desktop SSH Security Spellbook User services Virtual machines Website hosting Window managers
6 Security
Neovoid Pineapple edited this page 2024-06-25 12:36:43 +00:00
Table of Contents

Since the exozyme server is shared among many people, it's important to be mindful of security.

General tips

  • Use Unix sockets instead of TCP sockets whenever possible for web services, since anyone on the server can access your TCP socket. If you must use a TCP socket, you may want to password-protect the web service that's running on it.
  • Don't include secrets and passwords in command-line flags since they'll show up in the process table.

Sandboxing

Podman: Lightweight Linux containers similar to Docker. Use this if you don't know anything about sandboxing.

Bubblewrap

  • Use --unshare-all.
  • Use --ro-bind for the executable itself and files that it need to use, e.g. /usr/lib.
  • Use --bind for directories the service need to write to, e.g. /tmp. You only need this if the service has persistence.
  • Use --share-net if it needs network access. Unix domain sockets do not need this flag to function.

Manually using user namespaces

This section is for advanced users who know what they're doing. If you would like to run a command as a different user for security hardening, you can use this magic command: unshare -r --map-auto -S 1 -G 1.

Here's how it works. You have a set of 100000 subordinate users which are specified in /etc/subuid. They have UIDs starting with (your_UID-999)*100000.

When you run this unshare command, it maps UID 0 on the inside to your normal user and UIDs 1 through 100000 on the inside to your subordinate users on the outside. The flags -S 1 -G 1 specify that you would like to run the command on the inside as the UID 1 on the inside, which corresponds to your first subordinate user on the outside.

To chown files between your normal user and your subordinate users, use unshare -r --map-auto chown (unshare -r --map-auto is equivalent to podman unshare), and specify the inside UID of the target user.

Shell Script Security

Shell Scripts can be vulnerable if not written carefully.

  • Always use Shellcheck to scan for bugs.
  • For CGI Scripts consider using CGI Wrapper in your own http server such as Fastcgi, or caddy
  • Follow Principle of Least Privilege when it comes to permissions.
  • Dont Store Sensitive Information in scripts such as passwords.
  • Use Encrypted Passwords instead
  • Use Enviroment Variables Safely. eg. Set your $PATH carefully.

For Further Shell Script Security Practices check these resources:

  1. https://developer.apple.com/library/archive/documentation/OpenSource/Conceptual/ShellScripting/ShellScriptSecurity/ShellScriptSecurity.html
  2. https://sipb.mit.edu/doc/safe-shell/
  3. https://www.admin-magazine.com/Archive/2021/64/Best-practices-for-secure-script-programming