From 3dddbef6f8f3360e5401be880ecc80e30741a2de Mon Sep 17 00:00:00 2001 From: Marcin Deranek Date: Mon, 4 Mar 2024 09:20:10 +0100 Subject: app-admin/vaultwarden tighten security --- app-admin/vaultwarden/Manifest | 2 +- app-admin/vaultwarden/files/vaultwarden.service | 41 ++++++++++++++++--------- 2 files changed, 28 insertions(+), 15 deletions(-) diff --git a/app-admin/vaultwarden/Manifest b/app-admin/vaultwarden/Manifest index 623ee36..3441a9c 100644 --- a/app-admin/vaultwarden/Manifest +++ b/app-admin/vaultwarden/Manifest @@ -1,7 +1,7 @@ AUX conf 270 BLAKE2B eedd55cdae2c1b4160ef2e08a341aeb3356edbef7bbba67ce4fcde810de595012939d32b91cc58a04ae6510acffd350d6ded316ecf3cc2f047ffc85a3acaaa01 SHA512 ebbed2c0c12c7f42974bedf9336ab93a43c951abfe72c36d31b0da05bee623a707994b21774380f6d0943725d4cadf0d53bc32b4733c1dddaa3d41e5e73bbe41 AUX init 493 BLAKE2B fbb148dfd2e319928544ae36ccde1fa62456359403999cc8cb151db5febb6d5331ae185b599012924b6bd3533260005fe16fe3694464aff2f249065aba37a2a6 SHA512 bbcd2355cec35c185b143f9cbd26cec4c57de4cd4dbd8b7e9376e6a5aa48a8db5ab72c72da4f4ddf0b9b70f2c915379c8e07eda772983928242057afa67189e0 AUX vaultwarden 332 BLAKE2B eeee143031362d7232de544ba5b349eb77326e1e8ea462d4736557def280a00836cc35f7cfbb9eb27ab52058e8a51be2d805bcf2a7a30ee56d277c8de04f889c SHA512 9e98beefef37922309bbba217624a9ec586e9af642905e590a5d978efcb8027754a71cab792b14ff623c6422f5e958afaef1b3edf245a5f39d60d867f9faf131 -AUX vaultwarden.service 972 BLAKE2B 25865a0e76ed673202eb9c0259331c3de5f843050185913f02b14d8a0d25036656f5a30b2f5b460fc13ce3cd3a6e2319495aac1365d3c5a75746000d315bacfe SHA512 277d8fc4c9db0b24990cbc2e0a1ea687b5779c28febca54352a15b782cdd4c24b7c64821d7fe0a2e0794efb1a0732ccb4533cf8f97cf832876013f0ad2b8c5dd +AUX vaultwarden.service 1223 BLAKE2B 6f650a1758658fb78f4f91a92b759d77aa10fdd4751ce5bca3439321ef630be87e6e6db363ac7ea29762027d6929be1307611ab5d4f2f86ef0cd61b2eb8646d9 SHA512 0ef96b8e86183712f1fa9c905de8ccc8a5b10a0f40b5ce787a988a7f01c41598fcb577c2c86fef03d2dcb97fb8ccd4af432f072e1dfe42feb3d715ed53544d56 DIST Rocket-ce441b5f46fdf5cd99cb32b8b8638835e4c2a5fa.gh.tar.gz 852712 BLAKE2B b6baee76c1e8f0fc4e2628bdc34cf5154d6a76d5e414b349e707eaed19263abc10a608735090bc6fb2e87ebb0be7fe6324503cd4544b978a0683b20206f41201 SHA512 90ecfe0e77353cebb949fbb038e57554c0a215ef4b5a84580d88a0e8e1554954cb7fc7a4eeb13056cf3151ffdcf44f799b9cf71bb26bf96b06e0a280518963f9 DIST addr2line-0.20.0.crate 39558 BLAKE2B 1f66fcb361161599a87f874a3bf28a05614e235488d02205d4c8e207ae193280949ad957fd0eb383a49f4c1bc287569454d3c6872ed6e31c081e6fd03f8d460e SHA512 f9794772a31dd01096b168b4b4ffe311d4850c69fd77dd72c1e532a94ef7b23c31cccb9033848822521510f1fcc2ad0fdd824cf7efb9ed43828dc0165165b319 DIST addr2line-0.21.0.crate 40807 BLAKE2B 9796b9a1177a299797902b7f64247d81d63d3f7e0dcc1256990628e84c5f92e3094ee8d753d9b72187b9aaa73b7ca67c0217899f2226ebd1076f8d25b458475b SHA512 afde7660dda30dee240e79df1fb5b92d4572520bf17a134ef3765e2a077af9e13713952d52e27fae420109b40f6e24dbce1056687dbcbead858ffc21cc7dc69b diff --git a/app-admin/vaultwarden/files/vaultwarden.service b/app-admin/vaultwarden/files/vaultwarden.service index 12ba0d4..4b6cbfc 100644 --- a/app-admin/vaultwarden/files/vaultwarden.service +++ b/app-admin/vaultwarden/files/vaultwarden.service @@ -4,34 +4,47 @@ Documentation=https://github.com/dani-garcia/vaultwarden After=network.target mariadb.service mysqld.service postgresql.service [Service] +ExecStart=/usr/bin/vaultwarden +WorkingDirectory=/var/lib/vaultwarden User=vaultwarden Group=vaultwarden -Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs" -EnvironmentFile=/etc/vaultwarden.env -ExecStart=/usr/bin/vaultwarden + +# Allow vaultwarden to bind ports in the range of 0-1024 +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE + +NoNewPrivileges=yes LimitNOFILE=1048576 -LimitNPROC=256 +UMask=0077 +LimitNPROC=64 +ProtectSystem=strict +ProtectHome=true +ReadWriteDirectories=/var/lib/vaultwarden +PrivateUsers=yes PrivateTmp=true PrivateDevices=true -ProtectHome=true -ProtectSystem=strict +ProtectHostname=yes +ProtectClock=yes ProtectKernelTunables=yes ProtectKernelModules=yes +ProtectKernelLogs=yes ProtectControlGroups=yes - +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes -SystemCallArchitectures=native SystemCallFilter=@system-service -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +SystemCallFilter=~@privileged @resources +SystemCallArchitectures=native -WorkingDirectory=/var/lib/vaultwarden -ReadWriteDirectories=/var/lib/vaultwarden -# Allow vaultwarden to bind ports in the range of 0-1024 -AmbientCapabilities=CAP_NET_BIND_SERVICE -CapabilityBoundingSet=CAP_NET_BIND_SERVICE +Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs" +EnvironmentFile=/etc/vaultwarden.env [Install] WantedBy=multi-user.target -- cgit v1.2.3