steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity
Files
c691dc8a56ce1702442ee0224cb7fead9f3969c8
restic-manager/deploy/install/restic-manager-agent.service
T
steve c565a7abd1
CI / Test (linux/amd64) (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details
CI / Build (windows/amd64) (push) Has been cancelled
Details
CI / Build (linux/amd64) (push) Has been cancelled
Details
CI / Build (linux/arm64) (push) Has been cancelled
Details
agent unit: drop SystemCallFilter — was killing restic with SIGSYS 
Allow-list filter @system-service excludes some syscalls Go's
runtime + restic's file scanner reach for; init job died
immediately with "bad system call (core dumped)". CapabilityBounding
already constrains what root can do; the Protect*/Restrict* toggles
still cover network / kernel / mount / namespace. Net effect on the
threat model is negligible vs the operational cost.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 13:40:43 +01:00

64 lines
2.4 KiB
Desktop File
Raw Blame History

[Unit]
Description=restic-manager agent
Documentation=https://gitea.dcglab.co.uk/steve/restic-manager
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/local/bin/restic-manager-agent -config /etc/restic-manager/agent.yaml
Restart=always
RestartSec=5
# The agent runs as root. A fleet-backup tool needs to read every
# file on the system regardless of DAC permissions; running as a
# dedicated unprivileged user means either silent skips on /home,
# /root, /var/lib/<other-daemons>, or operators having to add the
# service user to every group whose files they want backed up. Both
# are worse than the threat model already implies (the agent holds
# repo credentials, executes arbitrary restic, and runs operator-
# defined hooks — its blast radius is already large).
#
# The mitigation is aggressive systemd sandboxing of the root
# process: drop all capabilities except the few we need, deny
# writes outside our state dirs, and forbid privilege escalation.
User=root
Group=root
# CAP_DAC_READ_SEARCH lets us read any file regardless of DAC perms
# (the "backup everything" capability). CAP_DAC_OVERRIDE is needed
# during restore for chown/chmod to recreate ownership. Drop the
# rest — root in this process means "can read", not "can do".
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN
AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN
# Hardening — blocks privilege escalation even from root, and
# confines writes / network / kernel access to what restic actually
# needs. Filesystem reads stay open: that's the whole job.
NoNewPrivileges=true
ProtectSystem=strict
ReadWritePaths=/etc/restic-manager /var/lib/restic-manager
ProtectHome=read-only
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
PrivateTmp=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictRealtime=true
RestrictSUIDSGID=true
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
# (No SystemCallFilter — the cap drop above already constrains what
# root can do; an allow-list filter killed restic with SIGSYS during
# init because @system-service excludes some of the syscalls Go's
# runtime + restic's file scanner reach for. The Protect*/Restrict*
# toggles still cover network / kernel / mount / namespace.)
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink