∞ 🏳️‍⚧️Edie [it/its, she/her, fae/faer, love/loves, ze/hir, des/pair, none/use name, undecided]

If you add the ReadWritePaths I told you to

ProtectSystem is full, not strict. Otherwise seems fine

All these systemd options are documented in the man page, see https://man7.org/linux/man-pages/man5/systemd.exec.5.html

As the name implies, roughly a pager is a piece of software that helps the user get the output one page at a time, by getting the size of rows of the terminal and displaying that many lines.

The most popular pagers in a UNIX text environment are more and less. The latter is kind of a joke as less can actually do more then more.

https://unix.stackexchange.com/questions/144016/what-is-a-pager

Yea, make sure to journalctl -eu prunner every time you restart it to check the logs

I tried setting it up myself, I was correct that MemoryDenyWriteExecute would be a problem.

I’ve made some changes between when I posted it and now (actually I just made a change, ProtectHostname) so make sure you get everything.

Btw, once these options are added, you can run systemd-analyze security prunner to check which options haven’t been enabled (it doesn’t know if it should be enabled though. Add --no-pager if you want to copy it)

This is a list of things that could help harden, some of these I am not as sure about

PrivateTmp=true # Does prunner use tmp? Does ffmpeg use tmp?
PrivateMounts=true # prunner/ffmpeg shouldn't need to mount stuff anyways... right?
ProtectClock=true # prunner and ffmpeg do not need to set hardware clock
ProtectKernelTunables=true # "Few services need to write to these at runtime"
ProtectKernelModules=true # I don't see prunner/ffmpeg needing to mod_probe
ProtectKernelLogs=true # prunner/ffmpeg do not need to write to dmesg
ProtectControlGroups=true # Not a container manager
ProtectProc=invisible # Keep an eye out
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # Other socket types are rare
LockPersonality=true # prunner/ffmpeg shouldn't need to change personality?
#MemoryDenyWriteExecute=true # Wait, prunner is a JS app isn't it? Hoping no JIT is needed **EDIT**: Yes, this is a problem
RestrictSUIDSGID=true # No privilege elevation
RestrictNamespaces=true # ffmpeg does not need namespaces
SystemCallArchitectures=native # hardens other options

ProtectHostname=true # Actually, seems like it might not be a problem. Hostname is "copied from callers namespace"

# Not setting:
# PrivateUsers=true # Meh. Problem I had with it in bind should not be the case here. If you feel like it, try it out.

# SystemCallFilter # Can't be bothered to go through the list

# ProcSubset=pid # Kernel APIs, not sure if ffmpeg needs them
# PrivateDevices=true # afraid ffmpeg needs it
# RestrictRealtime=true # prunner sets the niceness of ffmpeg

With ProtectSystem=strict you also need ReadWritePaths=/srv/prunner, WorkingDirectory is not excluded from being read-only.

I could recommend a lot of stuff.

ProtectSystem=full

Why can’t this be “strict”? What directories does prunner need to write to?

If it’s just WorkingDirectory, a ReadWritePaths=/srv/prunner is all that is needed.

Edit: If anyone want’s to actually run this, I can help you harden the systemd service.

I guess if I went with them anyways, I should make sure to keep backups. Luckily since I plan on using nixos, setting up a new instance would be rather easy.

They have? I’ve been thinking about getting a vps with them, maybe I should look for some other.