You are not logged in.

#1 2024-03-31 15:17:36

KSJ
Member
Registered: 2012-07-28
Posts: 28

[SOLVED] systemd security

Hi,

I have a running server with archlinux.
I was thinking about secure it more after latest xz case.

I have few systemd daemons running under root.
There shouldn't be a lot of daemons running under root.
Is there a difference between run systemd in userspace and
run process in service under some user
Is one of it more secure then the other?

Last edited by KSJ (2024-03-31 16:51:55)

Offline

#2 2024-03-31 15:53:38

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,523
Website

Re: [SOLVED] systemd security

1. There was no xz issue in archlinux.  So that is irrelevant to securing your server.
2. Systemd itself cannot be run as a user.  You can run a systemd user session in addition to the init system / service manager running as root.  But doing so on a server really doesn't make much sense: systemd user services are used to manage processes run for users while actively logged into the system.
3. You could choose to run an individual given service / program as a system service run as a user, or as a user service.  In a majority of cases, though, most programs are only meant to be run one way or the other - so there isn't much of a choice.
4. Running a server process as a user service would be nonsensical as it would then not be a server process.  For example, you might run tmux as a user service so that it runs only when you are shelled into the server, and is not running otherwise.  But running a web server, or email server, etc as a user service would most likely not work at all, or would only work as long as your user is shelled into the server - which would really defeat the purpose (and leaving your user logged in indefinitely would likely reduce security not increase it).

Summary: do not try to be creative with security.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2024-03-31 16:29:28

KSJ
Member
Registered: 2012-07-28
Posts: 28

Re: [SOLVED] systemd security

1) I know it was only for debian and rhel systems. But there was in article some recommendation how to run system more secure, which made me interested.
e.g. "avoid daemons running as root as possible" - https://dataswamp.org/~solene/2024-03-3 … -vuln.html
3) I run almost all services as user. I don't like run them as user service. I was checking the options. I think when I run them as user, daemon is run under user and it is ok.

One last thing I'm running under root are the backup system - it has access to all user accounts and ssh port forwarding daemons, which I want to move to user too.

Offline

#4 2024-03-31 16:41:56

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,523
Website

Re: [SOLVED] systemd security

Avoiding running daemons as root is good advice (advice, not absolute holy order).  But any well-written daemon will already drop root privileges.  Systemd (as the system service manager running as root) can start some daemons as a given user so they *never* have root privilege - but some daemons need to start as root (e.g., to bind ports).

But none of this has much of anything to do with whether the daemon is launched by the systemd service manager running as root (i.e., pid 1) or if it is started by a secondary systemd user service manager.  Systemd user sessions are not the security droids you are looking for.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2024-03-31 16:51:13

KSJ
Member
Registered: 2012-07-28
Posts: 28

Re: [SOLVED] systemd security

Thanks for advise

Offline

Board footer

Powered by FluxBB