hello, I’m working on reviving an old scuttlebutt pub yunohost package that was archived – since the time it was archived (set to unmaintained) there have been a new better working implementation of scuttlebutt which I am integrating.
In this package, there is one web app process (called peach-web), which monitors, stops and restarts a second process which is the scuttlebutt server (called tilde-sbot) via systemd.
Three years ago I was able to make this work by adding a file to /etc/suoders.d/peachpub_ynh
which explicitly allowed the peach-web process to stop, start and restart tilde-sbot via systemctl (file is here: peachpub_ynh/conf/sudoers at master · YunoHost-Apps/peachpub_ynh · GitHub)
However, now when I have tried to do this, I still run into the error:
sudo: The \"no new privileges\" flag is set, which prevents sudo from running as root.\nsudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
I have tried adjusting the permissions of the systemd unit for peach-web, but still I am running into this issue.
I wanted to sanity check – has there been a change to yunohost that sets the NoNewPriviliges=yes for my systemd unit somewhere earlier that it inherits?
Here is the systemd unit I am using for peach-web:
[Unit]
Description=peach-web service
After=network.target
[Service]
Type=simple
User=peachpub_ynh
Group=peachpub_ynh
Restart=always
WorkingDirectory=/var/www/peachpub_ynh/
Environment="PEACH_CONFIGDIR=/var/www/peachpub_ynh/config"
Environment="PEACH_CONFIG_PATH=/var/www/peachpub_ynh/config/config.yml"
Environment="RUST_LOG=info"
ExecStart=/var/www/peachpub_ynh/peach-web
StandardOutput=append:/var/log/peachpub_ynh/peachpub_ynh-peach-web.log
StandardError=inherit
# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=no
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @swap
# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
#CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
[Install]
WantedBy=multi-user.target
And here are the commands that make me think that something else might be enforcing NoNewPrivileges despite my setting it as no in the sytemd unit:
root@apub:/srv/priv# systemctl show -p MainPID peachpub_ynh-peach-web.service
MainPID=110161
root@apub:/srv/priv# cat /proc/110161/status | grep NoNewPrivs
NoNewPrivs: 1
Thanks for any guidance!