Page MenuHomePhabricator
Create Task
Maniphest T108410

Add confinement around Blazegraph
Closed, ResolvedPublic
Actions

Description

From T90115

I don't have any concerns/objections about setting this up, I mostly wanted to know the status of the various countermeasures mentioned in this task.

What kind of measures do you propose?

systemd supports various features to restrict running processes, e.g. for restricting filesystem access or through disallowing potentially harmful syscalls using seccomp-bpf. This doesn't need to be present in the initial deployment, but it would be good to add in a followup step.

Related Objects

Event Timeline

csteipp created this task.Aug 8 2015, 12:00 AM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: Wikidata-Query-Service.
csteipp subscribed.
Restricted Application added projects: Wikidata, Discovery-ARCHIVED. · View Herald TranscriptAug 8 2015, 12:00 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
csteipp mentioned this in T90115: BlazeGraph Security Review.Aug 8 2015, 12:08 AM
Smalyshev subscribed.Aug 8 2015, 8:32 PM
Lydia_Pintscher moved this task from incoming to monitoring on the Wikidata board.Aug 11 2015, 2:21 PM
Smalyshev moved this task from Incoming to Need investigation on the Wikidata-Query-Service board.Oct 19 2015, 10:03 PM
JanZerebecki subscribed.Oct 21 2015, 1:16 PM
Smalyshev triaged this task as Medium priority.Sep 12 2016, 10:44 PM
Smalyshev moved this task from Need investigation to Operations/SRE on the Wikidata-Query-Service board.Oct 11 2016, 5:54 PM
Smalyshev added a comment.Feb 22 2017, 1:01 AM

This seems to be dormant for a long time. @csteipp, do you have any specific advice as to what should be done here? Or given the fact it's running on their own servers it may be unnecessary? Would like to hear some advice on this.

Smalyshev closed this task as Resolved.Jan 3 2019, 1:28 AM
Smalyshev claimed this task.

We have this config in systemd right now:

PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

ReadOnlyDirectories=/
# data storage
ReadWriteDirectories=/srv/wdqs
# logs
ReadWriteDirectories=/var/log/wdqs
# already protected by PrivateTmp
ReadWriteDirectories=/tmp /var/tmp

I think this can be closed. If there's more needed, please reopen and describe what is missing.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL