Change confluent to run as non-root and harden systemd

This mitigates a great deal of risk compared to prior behavior.
2024-11-22 09:32:21 +00:00 · 2020-01-31 09:52:52 -05:00 · 2020-01-31 09:52:52 -05:00 · 0d5fa7a98a
commit 0d5fa7a98a
parent 968efe719a
2 changed files with 18 additions and 1 deletions
--- a/confluent_server/confluent_server.spec.tmpl
+++ b/confluent_server/confluent_server.spec.tmpl
@ -52,6 +52,15 @@ cat INSTALLED_FILES
 if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl try-restart confluent >& /dev/null; fi
 true

+%pre
+getent group confluent > /dev/null || /usr/sbin/groupadd -r confluent
+getent passwd confluent > /dev/null || /usr/sbin/useradd -r -g confluent -d /var/lib/confluent -s /sbin/nologin confluent
+mkdir -p /etc/confluent
+mkdir -p /var/lib/confluent
+mkdir -p /var/run/confluent
+mkdir -p /var/log/confluent
+chown -R confluent:confluent /etc/confluent /var/lib/confluent /var/run/confluent /var/log/confluent
+
 %post
 sysctl -p /usr/lib/sysctl.d/confluent.conf >& /dev/null
 if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl try-restart confluent >& /dev/null; fi
--- a/confluent_server/systemd/confluent.service
+++ b/confluent_server/systemd/confluent.service
@ -1,6 +1,7 @@
 # IBM(c) 2015 Apache 2.0
+# Lenovo(c) 2020 Apache 2.0
 [Unit]
-Description=Confluent hardware manager 
+Description=Confluent hardware manager

 [Service]
 Type=forking
@ -9,6 +10,13 @@ ExecStart=/opt/confluent/bin/confluent
 ExecStop=/opt/confluent/bin/confetty shutdown /
 Restart=on-failure
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+User=confluent
+Group=confluent
+DevicePolicy=closed
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+PrivateDevices=true
+ProtectControlGroups=true
+ProtectSystem=true

 [Install]
 WantedBy=multi-user.target