From 0d5fa7a98a9133cca2a74d8ac76694c23abca267 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Fri, 31 Jan 2020 09:52:52 -0500 Subject: [PATCH] Change confluent to run as non-root and harden systemd This mitigates a great deal of risk compared to prior behavior. --- confluent_server/confluent_server.spec.tmpl | 9 +++++++++ confluent_server/systemd/confluent.service | 10 +++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/confluent_server/confluent_server.spec.tmpl b/confluent_server/confluent_server.spec.tmpl index e86313a4..125104fb 100644 --- a/confluent_server/confluent_server.spec.tmpl +++ b/confluent_server/confluent_server.spec.tmpl @@ -52,6 +52,15 @@ cat INSTALLED_FILES if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl try-restart confluent >& /dev/null; fi true +%pre +getent group confluent > /dev/null || /usr/sbin/groupadd -r confluent +getent passwd confluent > /dev/null || /usr/sbin/useradd -r -g confluent -d /var/lib/confluent -s /sbin/nologin confluent +mkdir -p /etc/confluent +mkdir -p /var/lib/confluent +mkdir -p /var/run/confluent +mkdir -p /var/log/confluent +chown -R confluent:confluent /etc/confluent /var/lib/confluent /var/run/confluent /var/log/confluent + %post sysctl -p /usr/lib/sysctl.d/confluent.conf >& /dev/null if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl try-restart confluent >& /dev/null; fi diff --git a/confluent_server/systemd/confluent.service b/confluent_server/systemd/confluent.service index 57476a17..8ead8827 100644 --- a/confluent_server/systemd/confluent.service +++ b/confluent_server/systemd/confluent.service @@ -1,6 +1,7 @@ # IBM(c) 2015 Apache 2.0 +# Lenovo(c) 2020 Apache 2.0 [Unit] -Description=Confluent hardware manager +Description=Confluent hardware manager [Service] Type=forking @@ -9,6 +10,13 @@ ExecStart=/opt/confluent/bin/confluent ExecStop=/opt/confluent/bin/confetty shutdown / Restart=on-failure AmbientCapabilities=CAP_NET_BIND_SERVICE +User=confluent +Group=confluent +DevicePolicy=closed +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +PrivateDevices=true +ProtectControlGroups=true +ProtectSystem=true [Install] WantedBy=multi-user.target