Conversation
|
Thank you for suggesting this change. This should definitely be merged. Works on my setup, and I will override my services with this until it (or something similar) makes it upstream. Iperf is one of those services that is useful to have exposed to the internet as a testing endpoint, and it is a really bad idea that the easiest way to deploy such a service runs as root with full privileges. |
|
Thanks for the PR! We'll take a look. The use of iperf3 as a systemd service is not one of our primary use cases, but these changes look pretty reasonable at first glimpse. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
contrib/iperf3.service
Outdated
| [Service] | ||
| ExecStart=/usr/bin/iperf3 -s | ||
| Restart=on-failure | ||
| User=nobody |
There was a problem hiding this comment.
User=nobody will cause the unit to fail to start on systems where that account/group is absent, and it also uses a widely shared identity (less isolation between services). Consider switching to DynamicUser=yes (preferred for sandboxed services) or documenting/creating a dedicated iperf3 system user (and optionally set Group= explicitly).
| User=nobody | |
| DynamicUser=yes |
Co-authored-by: Johannes Larsen <mail@johslarsen.net> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
We tested with |
* relnotes: First draft of iperf-3.21 release notes (not completed yet). * relnotes: Add a note for the iperf3.service file change in PR #1855. * releng: Update release number and manpage dates for iperf-3.21. * Regen. * relnotes: Set release date
PLEASE NOTE the following text from the iperf3 license. Submitting a
pull request to the iperf3 repository constitutes "[making]
Enhancements available...publicly":
The complete iperf3 license is available in the
LICENSEfile in thetop directory of the iperf3 source tree.
masteror3.1-STABLE) to which this pull request applies:masterIssues fixed (if any):
This pull request improves the security posture of the iperf3 systemd service by introducing additional systemd hardening options. These changes restrict privileges, isolate resources, and mitigate potential attack vectors.
Brief description of code changes (suitable for use as a commit message):
User=nobodyto runiperf3with minimal privileges.NoNewPrivileges=yes– Prevents privilege escalation.PrivateTmp=yes– Isolates/tmpand/var/tmpto prevent interference.PrivateDevices=yesandDevicePolicy=closed– Restricts access to device files.ProtectSystem=strict– Makes the filesystem read-only except for essential directories.ProtectHome=read-only– Prevents modification of user home directories.ProtectControlGroups=yes,ProtectKernelModules=yes,ProtectKernelTunables=yes– Restricts access to kernel-related settings.RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK– Limits allowed network families.RestrictNamespaces=yes– Disables namespace usage to prevent container escape vulnerabilities.RestrictRealtime=yesandRestrictSUIDSGID=yes– Prevents real-time scheduling abuse and SUID/SGID privilege escalation.MemoryDenyWriteExecute=yes– Blocks execution of writable memory.LockPersonality=yes– Prevents personality changes to avoid exploits.