Skip to content

Improve systemd services and remove unecessary permissions

Klaus Frank requested to merge agowa338/iptables:systemd-lockdown into main

Hi, here are some improvements to the systemd units. Theire mainly locking down and dropping permissions. Also I've introduced a new iptables user and group. The systemd service now uses them instead of the root user to reload the firewall rules. This has the additional effect of allowing to delegate modifying the firewall rules in /etc/iptables using a group membership within the iptables group.

The iptables users and groups are created using the sysusers mechanism. I however also added a failsave using useradd within the postinstall. And only if that also fails it is silently skipped and a console message is printed about the manual steps to check permissions of /etc/iptables. If an admin doesn't do that they'll be root:root, but the systemd service will fail to start. This cannot easily be avoided, as it would require modifying the systemd unists from within the post_install hook. Which probably isn't a good idea. Also beause we deployed a sysusers configuration systemd may still create our user on the next reboot. So having the console output, the service (potentially) fail and the admin investigate manually is probably the saver option.

I also changed the service to now install WantedBy=network-online.target instead of multi-user.target.

At least if systemd-networkd is used this is where it should be located.

Merge request reports

Loading