github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

security(gateway): Don't run systemd gateways as root (#2943)

Browse Source 
Docker-based gateways won't have working IPv6 (good point @AndrewDryga),
so I started testing the systemd gateways more and found some issues I
fixed.

* Update default tab order for Deploy gateways page to prefer systemd
* Update unit file to run gateway as unprivileged user
* Remove dependency on `wget` in unit file
* Fix iptables logic so rules as re-created on reboot
* Use `/var/lib/firezone` instead of `/etc/firezone` for writing runtime
files (`/etc/` is often mounted read-only on hardened systems)

---------

Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Andrew Dryga <andrew@dryga.com>
This commit is contained in:
Jamil
2023-12-21 10:29:10 -08:00
committed by GitHub
parent d3f45b5285
commit 34ab093dbc
5 changed files with 229 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

207
elixir/apps/web/lib/web/live/relay_groups/new_token.ex
View File

@@ -23,7 +23,7 @@ defmodule Web.RelayGroups.NewToken do
group: group,
env: env,
connected?: false,
selected_tab: "docker-instructions"
selected_tab: "systemd-instructions"
)}
else
_other -> raise Web.LiveErrors.NotFoundError
@@ -51,13 +51,110 @@ defmodule Web.RelayGroups.NewToken do
</div>
<.tabs :if={@env} id="deployment-instructions">
<:tab
id="systemd-instructions"
label="systemd"
phx_click="tab_selected"
selected={@selected_tab == "systemd-instructions"}
>
<p class="p-4">
1. Create an unprivileged user and group to run the relay:
</p>
<.code_block
id="code-sample-systemd0"
class="w-full text-xs whitespace-pre-line"
phx-no-format
>sudo groupadd -f firezone \
&& id -u firezone &>/dev/null || sudo useradd -r -g firezone -s /sbin/nologin firezone</.code_block>
<p class="p-4">
2. Create a new systemd unit file:
</p>
<.code_block
id="code-sample-systemd1"
class="w-full text-xs whitespace-pre-line"
phx-no-format
>sudo nano /etc/systemd/system/firezone-relay.service</.code_block>
<p class="p-4">
3. Copy-paste the following contents into the file:
</p>
<.code_block
id="code-sample-systemd2"
class="w-full text-xs whitespace-pre-line"
phx-no-format
phx-update="ignore"
><%= systemd_command(@env) %></.code_block>
<p class="p-4">
4. Save by pressing <kbd>Ctrl</kbd>+<kbd>X</kbd>, then <kbd>Y</kbd>, then <kbd>Enter</kbd>.
</p>
<p class="p-4">
5. Reload systemd configuration:
</p>
<.code_block
id="code-sample-systemd4"
class="w-full text-xs whitespace-pre-line"
phx-no-format
>sudo systemctl daemon-reload</.code_block>
<p class="p-4">
6. Start the service:
</p>
<.code_block
id="code-sample-systemd5"
class="w-full text-xs whitespace-pre-line"
phx-no-format
>sudo systemctl start firezone-relay</.code_block>
<p class="p-4">
7. Enable the service to start on boot:
</p>
<.code_block
id="code-sample-systemd6"
class="w-full text-xs whitespace-pre-line"
phx-no-format
>sudo systemctl enable firezone-relay</.code_block>
<hr />
<h4 class="p-4 text-xl font-semibold">
Troubleshooting
</h4>
<p class="p-4">
Check the status of the service:
</p>
<.code_block
id="code-sample-systemd7"
class="w-full text-xs whitespace-pre-line"
phx-no-format
>sudo systemctl status firezone-relay</.code_block>
<p class="p-4">
Check the logs:
</p>
<.code_block
id="code-sample-systemd8"
class="w-full text-xs whitespace-pre-line"
phx-no-format
>sudo journalctl -u firezone-relay.service</.code_block>
</:tab>
<:tab
id="docker-instructions"
label="Docker"
phx_click="tab_selected"
selected={@selected_tab == "docker-instructions"}
>
<p class="pl-4 mb-2">
<p class="p-4">
Copy-paste this command to your server and replace <code>PUBLIC_IP4_ADDR</code>
and <code>PUBLIC_IP6_ADDR</code>
with your public IP addresses:
@@ -65,94 +162,36 @@ defmodule Web.RelayGroups.NewToken do
<.code_block
id="code-sample-docker1"
class="w-full rounded-b"
class="w-full text-xs whitespace-pre-line"
phx-no-format
phx-update="ignore"
><%= docker_command(@env) %></.code_block>
<hr />
<p class="pl-4 mb-2 mt-4 text-xl font-semibold">
<h4 class="p-4 text-xl font-semibold">
Troubleshooting
</p>
</h4>
<p class="pl-4 mb-2 mt-4">
<p class="p-4">
Check the container status:
</p>
<.code_block id="code-sample-docker2" class="w-full" phx-no-format>docker ps --filter "name=firezone-relay"</.code_block>
<.code_block
id="code-sample-docker2"
class="w-full text-xs whitespace-pre-line"
phx-no-format
>docker ps --filter "name=firezone-relay"</.code_block>
<p class="pl-4 mb-2 mt-4">
<p class="p-4">
Check the container logs:
</p>
<.code_block id="code-sample-docker3" class="w-full rounded-b" phx-no-format>docker logs firezone-relay</.code_block>
</:tab>
<:tab
id="systemd-instructions"
label="Systemd"
phx_click="tab_selected"
selected={@selected_tab == "systemd-instructions"}
>
<p class="pl-4 mb-2">
1. Create a systemd unit file with the following content:
</p>
<.code_block id="code-sample-systemd1" class="w-full" phx-no-format>sudo nano /etc/systemd/system/firezone-relay.service</.code_block>
<p class="pl-4 mb-2 mt-4">
2. Copy-paste the following content into the file and replace
<code>PUBLIC_IP4_ADDR</code>
and <code>PUBLIC_IP6_ADDR</code>
with your public IP addresses::
</p>
<.code_block
id="code-sample-systemd2"
class="w-full rounded-b"
id="code-sample-docker3"
class="w-full text-xs whitespace-pre-line"
phx-no-format
phx-update="ignore"
><%= systemd_command(@env) %></.code_block>
<p class="pl-4 mb-2 mt-4">
3. Save by pressing <kbd>Ctrl</kbd>+<kbd>X</kbd>, then <kbd>Y</kbd>, then <kbd>Enter</kbd>.
</p>
<p class="pl-4 mb-2 mt-4">
4. Reload systemd configuration:
</p>
<.code_block id="code-sample-systemd4" class="w-full" phx-no-format>sudo systemctl daemon-reload</.code_block>
<p class="pl-4 mb-2 mt-4">
5. Start the service:
</p>
<.code_block id="code-sample-systemd5" class="w-full" phx-no-format>sudo systemctl start firezone-relay</.code_block>
<p class="pl-4 mb-2 mt-4">
6. Enable the service to start on boot:
</p>
<.code_block id="code-sample-systemd6" class="w-full" phx-no-format>sudo systemctl enable firezone-relay</.code_block>
<hr />
<p class="pl-4 mb-2 mt-4 text-xl font-semibold">
Troubleshooting
</p>
<p class="pl-4 mb-2 mt-4">
Check the status of the service:
</p>
<.code_block id="code-sample-systemd7" class="w-full rounded-b" phx-no-format>sudo systemctl status firezone-relay</.code_block>
<p class="pl-4 mb-2 mt-4">
Check the logs:
</p>
<.code_block id="code-sample-systemd8" class="w-full rounded-b" phx-no-format>sudo journalctl -u firezone-relay.service</.code_block>
>docker logs firezone-relay</.code_block>
</:tab>
</.tabs>
@@ -223,7 +262,7 @@ defmodule Web.RelayGroups.NewToken do
"--health-cmd=\"lsof -i UDP | grep firezone-relay\"",
"--name=firezone-relay",
"--cap-add=NET_ADMIN",
"--volume /etc/firezone",
"--volume /var/lib/firezone",
"--sysctl net.ipv4.ip_forward=1",
"--sysctl net.ipv4.conf.all.src_valid_mark=1",
"--sysctl net.ipv6.conf.all.disable_ipv6=0",
@@ -248,7 +287,7 @@ defmodule Web.RelayGroups.NewToken do
[Service]
Type=simple
#{Enum.map_join(env, "\n", fn {key, value} -> "Environment=\"#{key}=#{value}\"" end)}
ExecStartPre=/bin/sh -c 'set -xue; \\
ExecStartPre=/bin/sh -c 'set -ue; \\
if [ ! -e /usr/local/bin/firezone-relay ]; then \\
FIREZONE_VERSION=$(curl -Ls \\
-H "Accept: application/vnd.github+json" \\
@@ -270,14 +309,20 @@ defmodule Web.RelayGroups.NewToken do
echo "Unsupported architecture"; \\
exit 1 ;; \\
esac; \\
wget -O /usr/local/bin/firezone-relay $bin_url; \\
chmod +x /usr/local/bin/firezone-relay; \\
mkdir -p /etc/firezone; \\
chmod 0755 /etc/firezone; \\
curl -Ls $bin_url -o /usr/local/bin/firezone-relay; \\
chgrp firezone /usr/local/bin/firezone-relay; \\
chmod 0750 /usr/local/bin/firezone-relay; \\
fi; \\
mkdir -p /var/lib/firezone; \\
chown firezone:firezone /var/lib/firezone; \\
chmod 0775 /var/lib/firezone; \\
'
AmbientCapabilities=CAP_NET_ADMIN
ExecStart=/bin/sh -c 'FIREZONE_NAME=$(hostname); /usr/local/bin/firezone-relay'
ExecStart=/usr/bin/sudo \\
--preserve-env=FIREZONE_NAME,FIREZONE_ID,FIREZONE_TOKEN,PUBLIC_IP4_ADDR,PUBLIC_IP6_ADDR,RUST_LOG,LOG_FORMAT \\
-u firezone \\
-g firezone \\
FIREZONE_NAME=$(hostname) \\
/usr/local/bin/firezone-relay
TimeoutStartSec=3s
TimeoutStopSec=15s
Restart=always

157
elixir/apps/web/lib/web/live/sites/new_token.ex
View File

@@ -22,7 +22,7 @@ defmodule Web.Sites.NewToken do
group: group,
env: env,
connected?: false,
selected_tab: "docker-instructions"
selected_tab: "systemd-instructions"
)}
else
{:error, _reason} -> raise Web.LiveErrors.NotFoundError
@@ -59,10 +59,82 @@ defmodule Web.Sites.NewToken do
<:content>
<div class="py-8 px-4 mx-auto max-w-2xl lg:py-16">
<div class="text-xl mb-4">
Select deployment method:
Select deployment method then follow the instructions below:
</div>
<.tabs :if={@env} id="deployment-instructions">
<:tab
id="systemd-instructions"
label="Systemd"
phx_click="tab_selected"
selected={@selected_tab == "systemd-instructions"}
>
<p class="p-4">
1. Create an unprivileged user and group to run the gateway:
</p>
<.code_block
id="code-sample-systemd0"
class="w-full text-xs whitespace-pre-line"
phx-no-format
>sudo groupadd -f firezone \
&& id -u firezone &>/dev/null || sudo useradd -r -g firezone -s /sbin/nologin firezone</.code_block>
<p class="p-4">
2. Create a new systemd unit file:
</p>
<.code_block
id="code-sample-systemd1"
class="w-full text-xs whitespace-pre-line"
phx-no-format
>sudo nano /etc/systemd/system/firezone-gateway.service</.code_block>
<p class="p-4">
3. Copy-paste the following contents into the file:
</p>
<.code_block
id="code-sample-systemd2"
class="w-full text-xs whitespace-pre-line"
phx-no-format
phx-update="ignore"
><%= systemd_command(@env) %></.code_block>
<p class="p-4">
4. Save by pressing <kbd>Ctrl</kbd>+<kbd>X</kbd>, then <kbd>Y</kbd>, then <kbd>Enter</kbd>.
</p>
<p class="p-4">
5. Reload systemd configuration:
</p>
<.code_block
id="code-sample-systemd4"
class="w-full text-xs whitespace-pre-line"
phx-no-format
>sudo systemctl daemon-reload</.code_block>
<p class="p-4">
6. Start the service:
</p>
<.code_block
id="code-sample-systemd5"
class="w-full text-xs whitespace-pre-line"
phx-no-format
>sudo systemctl start firezone-gateway</.code_block>
<p class="p-4">
7. Enable the service to start on boot:
</p>
<.code_block
id="code-sample-systemd6"
class="w-full text-xs whitespace-pre-line"
phx-no-format
>sudo systemctl enable firezone-gateway</.code_block>
</:tab>
<:tab
id="docker-instructions"
label="Docker"
@@ -73,52 +145,12 @@ defmodule Web.Sites.NewToken do
Copy-paste this command to your server:
</p>
<.code_block id="code-sample-docker1" class="w-full" phx-no-format phx-update="ignore"><%= docker_command(@env) %></.code_block>
</:tab>
<:tab
id="systemd-instructions"
label="Systemd"
phx_click="tab_selected"
selected={@selected_tab == "systemd-instructions"}
>
<p class="p-4">
1. Create a new systemd unit file:
</p>
<.code_block id="code-sample-systemd1" class="w-full" phx-no-format>sudo nano /etc/systemd/system/firezone-gateway.service</.code_block>
<p class="p-4">
2. Copy-paste the following contents into the file:
</p>
<.code_block
id="code-sample-systemd2"
class="w-full rounded-b"
id="code-sample-docker1"
class="w-full text-xs whitespace-pre-line"
phx-no-format
phx-update="ignore"
><%= systemd_command(@env) %></.code_block>
<p class="p-4">
3. Save by pressing <kbd>Ctrl</kbd>+<kbd>X</kbd>, then <kbd>Y</kbd>, then <kbd>Enter</kbd>.
</p>
<p class="p-4">
4. Reload systemd configuration:
</p>
<.code_block id="code-sample-systemd4" class="w-full" phx-no-format>sudo systemctl daemon-reload</.code_block>
<p class="p-4">
5. Start the service:
</p>
<.code_block id="code-sample-systemd5" class="w-full" phx-no-format>sudo systemctl start firezone-gateway</.code_block>
<p class="p-4">
6. Enable the service to start on boot:
</p>
<.code_block id="code-sample-systemd6" class="w-full" phx-no-format>sudo systemctl enable firezone-gateway</.code_block>
><%= docker_command(@env) %></.code_block>
</:tab>
</.tabs>
@@ -187,7 +219,7 @@ defmodule Web.Sites.NewToken do
"--health-cmd=\"ip link | grep tun-firezone\"",
"--name=firezone-gateway",
"--cap-add=NET_ADMIN",
"--volume /etc/firezone",
"--volume /var/lib/firezone",
"--sysctl net.ipv4.ip_forward=1",
"--sysctl net.ipv4.conf.all.src_valid_mark=1",
"--sysctl net.ipv6.conf.all.disable_ipv6=0",
@@ -214,7 +246,7 @@ defmodule Web.Sites.NewToken do
[Service]
Type=simple
#{Enum.map_join(env, "\n", fn {key, value} -> "Environment=\"#{key}=#{value}\"" end)}
ExecStartPre=/bin/sh -c 'set -xue; \\
ExecStartPre=/bin/sh -c 'set -ue; \\
if [ ! -e /usr/local/bin/firezone-gateway ]; then \\
FIREZONE_VERSION=$(curl -Ls \\
-H "Accept: application/vnd.github+json" \\
@@ -236,20 +268,27 @@ defmodule Web.Sites.NewToken do
echo "Unsupported architecture"; \\
exit 1 ;; \\
esac; \\
wget -O /usr/local/bin/firezone-gateway $bin_url; \\
chmod +x /usr/local/bin/firezone-gateway; \\
mkdir -p /etc/firezone; \\
chmod 0755 /etc/firezone; \\
iptables-nft -A FORWARD -i tun-firezone -j ACCEPT; \\
iptables-nft -A FORWARD -o tun-firezone -j ACCEPT; \\
iptables-nft -t nat -A POSTROUTING -o e+ -j MASQUERADE; \\
ip6tables-nft -A FORWARD -i tun-firezone -j ACCEPT; \\
ip6tables-nft -A FORWARD -o tun-firezone -j ACCEPT; \\
ip6tables-nft -t nat -A POSTROUTING -o e+ -j MASQUERADE; \\
curl -Ls $bin_url -o /usr/local/bin/firezone-gateway; \\
chgrp firezone /usr/local/bin/firezone-gateway; \\
chmod 0750 /usr/local/bin/firezone-gateway; \\
setcap 'cap_net_admin+eip' /usr/local/bin/firezone-gateway; \\
fi; \\
mkdir -p /var/lib/firezone; \\
chown firezone:firezone /var/lib/firezone; \\
chmod 0775 /var/lib/firezone; \\
iptables-nft -C FORWARD -i tun-firezone -j ACCEPT || iptables-nft -A FORWARD -i tun-firezone -j ACCEPT; \\
iptables-nft -C FORWARD -o tun-firezone -j ACCEPT || iptables-nft -A FORWARD -o tun-firezone -j ACCEPT; \\
iptables-nft -t nat -C POSTROUTING -o e+ -j MASQUERADE || iptables-nft -t nat -A POSTROUTING -o e+ -j MASQUERADE; \\
ip6tables-nft -C FORWARD -i tun-firezone -j ACCEPT || ip6tables-nft -A FORWARD -i tun-firezone -j ACCEPT; \\
ip6tables-nft -C FORWARD -o tun-firezone -j ACCEPT || ip6tables-nft -A FORWARD -o tun-firezone -j ACCEPT; \\
ip6tables-nft -t nat -C POSTROUTING -o e+ -j MASQUERADE || ip6tables-nft -t nat -A POSTROUTING -o e+ -j MASQUERADE; \\
'
AmbientCapabilities=CAP_NET_ADMIN
ExecStart=/bin/sh -c 'FIREZONE_NAME=$(hostname); /usr/local/bin/firezone-gateway'
ExecStart=/usr/bin/sudo \\
--preserve-env=FIREZONE_NAME,FIREZONE_ID,FIREZONE_TOKEN,FIREZONE_API_URL,RUST_LOG \\
-u firezone \\
-g firezone \\
FIREZONE_NAME=$(hostname) \\
/usr/local/bin/firezone-gateway
TimeoutStartSec=3s
TimeoutStopSec=15s
Restart=always

4
elixir/apps/web/test/web/live/relay_groups/new_token_test.exs
View File

@@ -33,8 +33,8 @@ defmodule Web.Live.RelayGroups.NewTokenTest do
assert html =~ "docker run"
assert html =~ "Waiting for connection..."
assert Regex.run(~r/FIREZONE_ID=([^ ]+)/, html) |> List.last()
token = Regex.run(~r/FIREZONE_TOKEN=([^ ]+)/, html) |> List.last() |> String.trim("&quot;")
assert Regex.run(~r/FIREZONE_ID=([^& ]+)/, html) |> List.last()
token = Regex.run(~r/FIREZONE_TOKEN=([^& ]+)/, html) |> List.last() |> String.trim("&quot;")
:ok = Domain.Relays.subscribe_for_relays_presence_in_group(group)
relay = Fixtures.Relays.create_relay(account: account, group: group)

4
elixir/apps/web/test/web/live/sites/new_token_test.exs
View File

@@ -31,8 +31,8 @@ defmodule Web.Live.Sites.NewTokenTest do
assert html =~ "docker run"
assert html =~ "Waiting for connection..."
assert Regex.run(~r/FIREZONE_ID=([^ ]+)/, html) |> List.last()
token = Regex.run(~r/FIREZONE_TOKEN=([^ ]+)/, html) |> List.last() |> String.trim("&quot;")
assert Regex.run(~r/FIREZONE_ID=([^& ]+)/, html) |> List.last()
token = Regex.run(~r/FIREZONE_TOKEN=([^& ]+)/, html) |> List.last() |> String.trim("&quot;")
:ok = Domain.Gateways.subscribe_for_gateways_presence_in_group(group)
gateway = Fixtures.Gateways.create_gateway(account: account, group: group)

2
scripts/gateway-docker-upgrade.sh
View File

@@ -33,7 +33,7 @@ do
--health-cmd="ip link | grep tun-firezone" \
--name="$RUNNING_NAME" \
--cap-add=NET_ADMIN \
--volume /etc/firezone \
--volume /var/lib/firezone \
--env-file variables.env \
--sysctl net.ipv4.ip_forward=1 \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \