From 0e5f07612c6d03dc0f61f69433a89486628f1a40 Mon Sep 17 00:00:00 2001 From: Amna <amna.snene@savoirfairelinux.com> Date: Mon, 6 May 2024 15:40:14 -0400 Subject: [PATCH] dnc: fix systemd service Remove the needs of dnc user. We should not force admins to create a new dedicated user. Use a env variable to cache data and add fallbacks to avoid any crash Change-Id: If8fa2ced856c36f2d63870f9b6a6fc7839d91040 --- tools/common.cpp | 17 ++++++++++++-- tools/common.h | 3 ++- tools/dnc/README.md | 4 +++- tools/dnc/dnc.cpp | 7 +++--- tools/dnc/systemd/dnc.service.in | 40 +++++++------------------------- tools/dsh/dsh.cpp | 2 +- tools/dvpn/dvpn.cpp | 2 +- 7 files changed, 35 insertions(+), 40 deletions(-) diff --git a/tools/common.cpp b/tools/common.cpp index aeb21ed..7b10bfd 100644 --- a/tools/common.cpp +++ b/tools/common.cpp @@ -29,6 +29,20 @@ namespace dhtnet { +std::filesystem::path cachePath() +{ + auto* cache_path = getenv("DHTNET_CACHE_DIR"); + if (cache_path) { + return std::filesystem::path(cache_path); + } + auto* home = getenv("HOME"); + if (home) { + return std::filesystem::path(home) / ".cache" / "dhtnet"; + } + // If user got no HOME and no DHTNET_CACHE_DIR set, use /tmp + return std::filesystem::path("/tmp"); +} + std::unique_ptr<ConnectionManager::Config> connectionManagerConfig(dht::crypto::Identity identity, const std::string& bootstrap, @@ -41,7 +55,6 @@ connectionManagerConfig(dht::crypto::Identity identity, const std::string& turn_pass, const std::string& turn_realm) { - std::filesystem::create_directories(PATH/"certstore"); // DHT node creation: To make a connection manager at first a DHT node should be created dht::DhtRunner::Config dhtConfig; dhtConfig.dht_config.id = identity; @@ -70,7 +83,7 @@ connectionManagerConfig(dht::crypto::Identity identity, config->id = identity; config->ioContext = ioContext; config->certStore = certStore; - config->cachePath = PATH; + config->cachePath = cachePath(); config->factory = iceFactory; config->logger = logger; if (!turn_host.empty()){ diff --git a/tools/common.h b/tools/common.h index d08512d..b1bde5c 100644 --- a/tools/common.h +++ b/tools/common.h @@ -25,7 +25,8 @@ namespace dhtnet { using Buffer = std::shared_ptr<std::vector<uint8_t>>; constexpr size_t BUFFER_SIZE = 64 * 1024; -const std::filesystem::path PATH = std::filesystem::path(getenv("HOME")) / ".dhtnet"; + +std::filesystem::path cachePath(); std::unique_ptr<ConnectionManager::Config> connectionManagerConfig( dht::crypto::Identity identity, diff --git a/tools/dnc/README.md b/tools/dnc/README.md index 6fe2748..fffb379 100644 --- a/tools/dnc/README.md +++ b/tools/dnc/README.md @@ -46,8 +46,10 @@ To facilitate SSH connections to a remote device, dnc establishes a DHT network To initiate, generate a certificate authority and a server certificate: ```shell -sudo dhtnet-crtmgr --setup -o /etc/dhtnet/ +sudo dhtnet-crtmgr --setup -o /usr/local/etc/dhtnet/ ``` +The server will cache some values in `/var/run/dhtnet`. If this must be changed, +you can remove the line `Environment="DHTNET_CACHE_DIR=/var/run/dhtnet"` in `dnc.service.in`. Then, launch the dnc service: ```shell systemctl start dnc.service diff --git a/tools/dnc/dnc.cpp b/tools/dnc/dnc.cpp index 3923716..bce0388 100644 --- a/tools/dnc/dnc.cpp +++ b/tools/dnc/dnc.cpp @@ -62,9 +62,7 @@ Dnc::Dnc(dht::crypto::Identity identity, const bool anonymous) : logger(dht::log::getStdLogger()) , ioContext(std::make_shared<asio::io_context>()), - iceFactory(std::make_shared<IceTransportFactory>(logger)), - certStore(std::make_shared<tls::CertificateStore>(PATH/"certstore", logger)), - trustStore(std::make_shared<tls::TrustStore>(*certStore)) + iceFactory(std::make_shared<IceTransportFactory>(logger)) { ioContextRunner = std::thread([context = ioContext, logger = logger] { try { @@ -76,6 +74,9 @@ Dnc::Dnc(dht::crypto::Identity identity, } }); + certStore = std::make_shared<tls::CertificateStore>(cachePath()/"certStore", logger); + trustStore = std::make_shared<tls::TrustStore>(*certStore); + auto ca = identity.second->issuer; trustStore->setCertificateStatus(ca->getId().toString(), tls::TrustStore::PermissionStatus::ALLOWED); diff --git a/tools/dnc/systemd/dnc.service.in b/tools/dnc/systemd/dnc.service.in index dedcea4..3f0568e 100644 --- a/tools/dnc/systemd/dnc.service.in +++ b/tools/dnc/systemd/dnc.service.in @@ -2,42 +2,20 @@ Description=Dnc server Documentation=man:dnc(1) After=network.target +Wants=network-online.target +Documentation=https://git.jami.net/savoirfairelinux/dhtnet/blob/master/tools/dvpn/README.md [Service] -Type=simple -User=dnc -Group=dnc +Type=exec +Environment="DHTNET_CACHE_DIR=/var/run/dhtnet" ExecStart=@bindir@/dnc -l -d @sysconfdir@/dhtnet/dnc.yaml -c @sysconfdir@/dhtnet/id/id-server.crt -p @sysconfdir@/dhtnet/id/id-server.pem Restart=on-failure -RestartSec=2s -LimitNOFILE=65536 -DynamicUser=yes -KillMode=process -WorkingDirectory=/tmp - -# Hardening -CapabilityBoundingSet=CAP_NET_BIND_SERVICE -LockPersonality=yes -NoNewPrivileges=yes -PrivateDevices=yes -PrivateTmp=yes -PrivateUsers=yes -ProtectClock=yes -ProtectControlGroups=yes -ProtectHome=yes -ProtectHostname=yes -ProtectKernelLogs=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes ProtectSystem=strict -ReadOnlyDirectories=/ -ReadWriteDirectories=-/proc/self -ReadWriteDirectories=-/var/run -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=yes -RestrictRealtime=yes -SystemCallArchitectures=native +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +PrivateDevices=yes SystemCallFilter=@system-service [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file diff --git a/tools/dsh/dsh.cpp b/tools/dsh/dsh.cpp index 9da0544..8456612 100644 --- a/tools/dsh/dsh.cpp +++ b/tools/dsh/dsh.cpp @@ -95,7 +95,7 @@ dhtnet::Dsh::Dsh(dht::crypto::Identity identity, :logger(dht::log::getStdLogger()) , ioContext(std::make_shared<asio::io_context>()), iceFactory(std::make_shared<IceTransportFactory>(logger)), - certStore(std::make_shared<tls::CertificateStore>(PATH/"certstore", logger)), + certStore(std::make_shared<tls::CertificateStore>(cachePath()/"certstore", logger)), trustStore(std::make_shared<tls::TrustStore>(*certStore)) { ioContext = std::make_shared<asio::io_context>(); diff --git a/tools/dvpn/dvpn.cpp b/tools/dvpn/dvpn.cpp index 021b000..f6214a3 100644 --- a/tools/dvpn/dvpn.cpp +++ b/tools/dvpn/dvpn.cpp @@ -166,7 +166,7 @@ dhtnet::Dvpn::Dvpn(dht::crypto::Identity identity, : logger(dht::log::getStdLogger()) , ioContext(std::make_shared<asio::io_context>()), iceFactory(std::make_shared<IceTransportFactory>(logger)), - certStore(std::make_shared<tls::CertificateStore>(PATH/"certstore", logger)), + certStore(std::make_shared<tls::CertificateStore>(cachePath()/"certstore", logger)), trustStore(std::make_shared<tls::TrustStore>(*certStore)) { ioContextRunner = std::thread([context = ioContext, logger = logger] { -- GitLab