From 2b0ee787dd38414101d4b76b5a1818c9a21c57cd Mon Sep 17 00:00:00 2001 From: snicket2100 <57048005+snicket2100@users.noreply.github.com> Date: Mon, 13 Apr 2020 10:43:32 +0200 Subject: mosquitto: systemd service sandboxing running the service in a sandbox. read-only root file system, with tmpfs mounted in /tmp, hidden /root and /home, temporary /dev. the only writeable path is the data directory, which according to my experiments is enough for the service to work correctly. --- nixos/modules/services/networking/mosquitto.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'nixos/modules/services/networking/mosquitto.nix') diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index d2feb93e2b7..ec109c4e634 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -204,6 +204,16 @@ in Restart = "on-failure"; ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateDevices = true; + PrivateTmp = true; + ReadWritePaths = "${cfg.dataDir}"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + NoNewPrivileges = true; }; preStart = '' rm -f ${cfg.dataDir}/passwd -- cgit 1.4.1 From 542f75079b95bf15a0b4274d0a5a8a39ab19f703 Mon Sep 17 00:00:00 2001 From: Felix Tenley Date: Wed, 21 Oct 2020 17:30:12 +0200 Subject: nixos/mosquitto: add passwordFile and hashedPasswordFile options --- nixos/modules/services/networking/mosquitto.nix | 36 +++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) (limited to 'nixos/modules/services/networking/mosquitto.nix') diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index d2feb93e2b7..4a85b3956da 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -123,12 +123,33 @@ in ''; }; + passwordFile = mkOption { + type = with types; uniq (nullOr str); + example = "/path/to/file"; + default = null; + description = '' + Specifies the path to a file containing the + clear text password for the MQTT user. + ''; + }; + hashedPassword = mkOption { type = with types; uniq (nullOr str); default = null; description = '' Specifies the hashed password for the MQTT User. - overrides . + To generate hashed password install mosquitto + package and use mosquitto_passwd. + ''; + }; + + hashedPasswordFile = mkOption { + type = with types; uniq (nullOr str); + example = "/path/to/file"; + default = null; + description = '' + Specifies the path to a file containing the + hashed password for the MQTT user. To generate hashed password install mosquitto package and use mosquitto_passwd. ''; @@ -190,6 +211,13 @@ in config = mkIf cfg.enable { + assertions = mapAttrsToList (name: cfg: { + assertion = length (filter (s: s != null) (with cfg; [ + password passwordFile hashedPassword hashedPasswordFile + ])) <= 1; + message = "Cannot set more than one password option"; + }) cfg.users; + systemd.services.mosquitto = { description = "Mosquitto MQTT Broker Daemon"; wantedBy = [ "multi-user.target" ]; @@ -210,7 +238,11 @@ in touch ${cfg.dataDir}/passwd '' + concatStringsSep "\n" ( mapAttrsToList (n: c: - if c.hashedPassword != null then + if c.hashedPasswordFile != null then + "echo '${n}:'$(cat '${c.hashedPasswordFile}') >> ${cfg.dataDir}/passwd" + else if c.passwordFile != null then + "${pkgs.mosquitto}/bin/mosquitto_passwd -b ${cfg.dataDir}/passwd ${n} $(cat '${c.passwordFile}')" + else if c.hashedPassword != null then "echo '${n}:${c.hashedPassword}' >> ${cfg.dataDir}/passwd" else optionalString (c.password != null) "${pkgs.mosquitto}/bin/mosquitto_passwd -b ${cfg.dataDir}/passwd ${n} '${c.password}'" -- cgit 1.4.1 From 33e867620eb1e27d44a35fb57944ce8a5bccfdab Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 24 Apr 2021 17:22:54 +0200 Subject: nixos/mosquitto: harden systemd unit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It can still network, it can only access the ssl related files if ssl is enabled. ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 ✗ DeviceAllow= Service has a device ACL with some special devices 0.1 ✗ IPAddressDeny= Service does not define an IP address allow list 0.2 ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 → Overall exposure level for mosquitto.service: 1.1 OK 🙂 --- nixos/modules/services/networking/mosquitto.nix | 43 ++++++++++++++++++++++--- nixos/tests/mosquitto.nix | 5 ++- 2 files changed, 43 insertions(+), 5 deletions(-) (limited to 'nixos/modules/services/networking/mosquitto.nix') diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index 10b49d9b220..b98a717e658 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -233,15 +233,50 @@ in ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ProtectSystem = "strict"; - ProtectHome = true; + # Hardening + CapabilityBoundingSet = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; - ReadWritePaths = "${cfg.dataDir}"; + PrivateUsers = true; + ProtectClock = true; ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; - NoNewPrivileges = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + ReadWritePaths = [ + cfg.dataDir + "/tmp" # mosquitto_passwd creates files in /tmp before moving them + ]; + ReadOnlyPaths = with cfg.ssl; lib.optionals (enable) [ + certfile + keyfile + cafile + ]; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_UNIX" # for sd_notify() call + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; }; preStart = '' rm -f ${cfg.dataDir}/passwd diff --git a/nixos/tests/mosquitto.nix b/nixos/tests/mosquitto.nix index 308c1396013..e29bd559ed9 100644 --- a/nixos/tests/mosquitto.nix +++ b/nixos/tests/mosquitto.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let port = 1888; @@ -30,6 +30,9 @@ in { ]; }; }; + + # disable private /tmp for this test + systemd.services.mosquitto.serviceConfig.PrivateTmp = lib.mkForce false; }; client1 = client; -- cgit 1.4.1 From a2d1d16af82b7133547353568c5af33bbfcdca28 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 29 Apr 2021 03:56:40 +0200 Subject: nixos/mosquitto: Migrate away from bind_address/port config keys Fixes these two deprecation warnings, by moving away from these options towards a simple listener configuration. > The 'bind_address' option is now deprecated and will be removed in a future version. The behaviour will default to true. > The 'port' option is now deprecated and will be removed in a future version. Please use 'listener' instead. Fixes: #120860 --- nixos/modules/services/networking/mosquitto.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'nixos/modules/services/networking/mosquitto.nix') diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index b98a717e658..8e814ffd0b9 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -20,8 +20,7 @@ let acl_file ${aclFile} persistence true allow_anonymous ${boolToString cfg.allowAnonymous} - bind_address ${cfg.host} - port ${toString cfg.port} + listener ${toString cfg.port} ${cfg.host} ${passwordConf} ${listenerConf} ${cfg.extraConf} -- cgit 1.4.1