From 631c3068a92c53c365a0f705c88d44b75566a09c Mon Sep 17 00:00:00 2001 From: palto42 Date: Sat, 22 Aug 2020 15:41:25 +0200 Subject: [PATCH] systemd security settings --- borgmatic/config/schema.yaml | 2 ++ docs/how-to/set-up-backups.md | 4 ++++ sample/systemd/borgmatic.service | 30 ++++++++++++++++++++++++++++++ 3 files changed, 36 insertions(+) diff --git a/borgmatic/config/schema.yaml b/borgmatic/config/schema.yaml index 9e16704..a45e867 100644 --- a/borgmatic/config/schema.yaml +++ b/borgmatic/config/schema.yaml @@ -29,6 +29,8 @@ map: expanded. Multiple repositories are backed up to in sequence. See ssh_command for SSH options like identity file or port. + If systemd service is used, then add local repository paths + in the systemd service file to the ReadWritePaths list. example: - user@backupserver:sourcehostname.borg one_file_system: diff --git a/docs/how-to/set-up-backups.md b/docs/how-to/set-up-backups.md index 4c30bc2..71a763e 100644 --- a/docs/how-to/set-up-backups.md +++ b/docs/how-to/set-up-backups.md @@ -268,6 +268,10 @@ sudo mv borgmatic.service borgmatic.timer /etc/systemd/system/ sudo systemctl enable --now borgmatic.timer ``` +Review the security settings in the service file and update them as needed. +If `ProtectSystem=strict` is enabled and local repositories are used, then +the repository path must be added to the `ReadWritePaths` list. + Feel free to modify the timer file based on how frequently you'd like borgmatic to run. diff --git a/sample/systemd/borgmatic.service b/sample/systemd/borgmatic.service index bc2a127..10fdfcf 100644 --- a/sample/systemd/borgmatic.service +++ b/sample/systemd/borgmatic.service @@ -7,6 +7,36 @@ ConditionACPower=true [Service] Type=oneshot +# Security settings for systemd running as root +# For more details about this settings check the systemd manuals +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html +LockPersonality=true +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +# Restrict write access +# Change to 'ProtectSystem=strict' and uncomment 'ProtectHome' to make the whole file +# system read-only be default and uncomment 'ReadWritePaths' for the required write access. +# Add local repositroy paths to the list of 'ReadWritePaths' like '-/mnt/my_backup_drive'. +ProtectSystem=full +# ProtectHome=read-only +# ReadWritePaths=-/root/.config/borg -/root/.cache/borg -/root/.borgmatic + +CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW + # Lower CPU and I/O priority. Nice=19 CPUSchedulingPolicy=batch