hasakl tech tip
need to do some dev stuff that needs capabilities like binding to a privileged port, or managing wireguard interfaces, without using sudo (because you don't trust your program not to fuck up root access. also it's security)?
systemd-run can do it (systemd-run can do literally anything. you'd be surprised)
systemd-run --pty -S -pAmbientCapabilities=CAP_NET_ADMIN -pUser=$USER -pGroup=$USER
systemd-run creates an ephemeral unit
--pty hooks it up to the current terminal
-S starts a shell as the process
-p sets a property
AmbientCapabilities=CAP_NET_ADMIN gives the unit the CAP_NET_ADMIN capability. you may also be interested in stuff like CAP_NET_BIND_SERVICE and CAP_NET_RAW
User=$USER and Group=$USER runs it under your actual user instead of as root
btw if you have systemd managing your containers you can pass -M <container> to execute something on that container
and if you have ssh access to a remote machine running systemd you can use -H [user@]host to operate on that machine
@haskal I really wish capabilities and isolation were... better in general tbh
like I should be able to say "only allow this program to connect to this one domain on this one port"
@hierarchon that's the main purpose of security modules like selinux and apparmor
@haskal yeah but I don't think any of them let you do that
@hierarchon i mean if you just want to restrict network access iptables can do filters by PID
@hierarchon that's what android does, it has a very complicated iptables-based network security system
@haskal yeah I guess I just wish you could apply a more mobile phone-y security model
I guess flatpak does this too?
@hierarchon well if you're talking containerization that's another possibility
put the program in its own network namespace and then write routing rules so you only forward allowed traffic out of that namespace (iptables/nftables again, or you could use iproute2 with policy based routing rules)
basically there are many ways in linux to achieve what you want,
@haskal yeah but like
i want to *not* have to do all this plumbing work myself
@hierarchon actually you can use systemd-run to filter ip addresses at least
-pIPAddressDeny=any -pIPAddressAllow=44.44.127.10
this uses _yet another_ mechanism in the kernel where cgroups can have eBPF filters on them
this will not let you filter ports (unless you write an eBPF filter program and pass it with -pIPEgressFilterPath but i assume that's plumbing work you don't want to do)
@hierarchon if you want to customize your security you're going to have to customize your security. there's no GNOME app for this yet....
@haskal thatβs a very interesting tech tip. Thank you!
@haskal systemd is so great for security, I've been writing my services with ProtectSystem and only allowing read/write to very specific folders :3
also DynamicUser when it doesn't matter permission-wise
@haskal This sounds very useful! Thanks :D
@haskal bloat (compliment)
@haskal If your program supports it, letting systemd (or another privileged program) pass in the opened socket gives even tighter control. (Example on <https://liquidat.wordpress.com/2018/01/04/howto-run-programs-as-non-root-user-on-privileged-ports-via-systemd/>).
the only other way i know of to do this is with capsh and it's super obtuse so i don't recommend it
this systemd-run command may seem a little verbose too, but like, if you're familiar with authoring systemd service configuration it should be familiar