This patch improves the overall security assessment score given by
`systemd-analyze security rest-server.service` from "1.3 OK" to "0.6 SAFE"
(when using systemd-analyze version 253)
* Remove `AF_INET AF_INET6` from RestrictAddressFamilies.
Sockets originating from socket activation are not affected by the
systemd directive RestrictAddressFamilies.
See systemd.exec man page.
* Add `PrivateNetwork=yes`
as recommended for socket-activated services in the systemd.socket man page
* Add dependency on rest-server.socket
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
The systemd administrator may wish to use additional resource control
facilities which systemd provides. Document the existence of these, and
provide some example options in commented form.
The supplied systemd unit file places some basic security restrictions
on the rest service. This patch enhances those, and improves the
overall security assessment score given by `systemd-analyze security`
from "8.3 EXPOSED" to "1.3 OK".
Closes#148
In addition to any existing filesystem restrictions on the (www-data)
backup user these config options uses namespaces and other kernel
features to further restrict what the _rest-server_ is allowed to do.
* `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures
that the _rest-server_ is only allowed to write to its data directory.
* `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_
gets (read) access to.
* `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid
binaries, etc to escalate its privileges.
See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
for further details
While at I also replaced the _/tmp/restic_ path with a more explicit
placeholder path. Given that one rarely wants to backup to _/tmp_ I
figured it better to force a choice of path rather than to have
someone accidentally end up using _/tmp/restic_ for their backups.
The directive "StartLimitInterval" has been replaced by [StartLimitIntervalSec=interval, StartLimitBurst=burst](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#StartLimitIntervalSec=interval). I'd suggest that the default backoff settings are fine (in Ubuntu 19.10 no more than 5 restarts per 10 seconds, else delayed by 10 seconds per attempt) so this directive can simply be removed.
