Minimal server (with maximal security) for turning off an X10-controlled fan over HTTP

Overview

"Fan Remote"

A self-contained Rust binary to expose a single X10 command (turn off that fan) as an HTML form button.

In its current form, it's highly specialized, but I've put so much work into locking down the systemd sandboxing for it that you might find it useful as a starting point for creating ultra-sandboxed HTTP daemons that need to invoke /usr/bin/br or something similar.

Here's what systemd-analyze security has to say about it as of this writing:

  NAME                                                        DESCRIPTION                                                                   EXPOSURE
✓ PrivateNetwork=                                             Service has no access to the host's network
✓ User=/DynamicUser=                                          Service runs under a transient non-root user identity
✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)                Service cannot change UID/GID identities/capabilities
✓ CapabilityBoundingSet=~CAP_SYS_ADMIN                        Service has no administrator privileges
✓ CapabilityBoundingSet=~CAP_SYS_PTRACE                       Service has no ptrace() debugging abilities
✓ RestrictAddressFamilies=~AF_(INET|INET6)                    Service cannot allocate Internet sockets
✓ RestrictNamespaces=~CLONE_NEWUSER                           Service cannot create user namespaces
✓ RestrictAddressFamilies=~…                                  Service cannot allocate exotic sockets
✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP)           Service cannot change file ownership/access mode/capabilities
✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER)         Service cannot override UNIX file/IPC permission checks
✓ CapabilityBoundingSet=~CAP_NET_ADMIN                        Service has no network configuration privileges
✓ CapabilityBoundingSet=~CAP_RAWIO                            Service has no raw I/O access
✓ CapabilityBoundingSet=~CAP_SYS_MODULE                       Service cannot load kernel modules
✓ CapabilityBoundingSet=~CAP_SYS_TIME                         Service processes cannot change the system clock
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                 0.1
✓ IPAddressDeny=                                              Service blocks all IP address ranges
✓ KeyringMode=                                                Service doesn't share key material with other services
✓ NoNewPrivileges=                                            Service processes cannot acquire new privileges
✓ NotifyAccess=                                               Service child processes cannot alter service state
✓ PrivateDevices=                                             Service has no access to hardware devices
✓ PrivateMounts=                                              Service cannot install system mounts
✓ PrivateTmp=                                                 Service has no access to other software's temporary files
✓ PrivateUsers=                                               Service does not have access to other users
✗ ProtectClock=                                               Service may write to the hardware clock or system clock                            0.2
✓ ProtectControlGroups=                                       Service cannot modify the control group file system
✓ ProtectHome=                                                Service has no access to home directories
✓ ProtectKernelLogs=                                          Service cannot read from or write to the kernel log ring buffer
✓ ProtectKernelModules=                                       Service cannot load or read kernel modules
✓ ProtectKernelTunables=                                      Service cannot alter kernel tunables (/proc/sys, …)
✓ ProtectSystem=                                              Service has strict read-only access to the OS file hierarchy
✓ RestrictAddressFamilies=~AF_PACKET                          Service cannot allocate packet sockets
✓ RestrictSUIDSGID=                                           SUID/SGID file creation by service is restricted
✓ SystemCallArchitectures=                                    Service may execute system calls only with native ABI
✓ SystemCallFilter=~@clock                                    System call whitelist defined for service, and @clock is not included
✓ SystemCallFilter=~@debug                                    System call whitelist defined for service, and @debug is not included
✓ SystemCallFilter=~@module                                   System call whitelist defined for service, and @module is not included
✓ SystemCallFilter=~@mount                                    System call whitelist defined for service, and @mount is not included
✓ SystemCallFilter=~@raw-io                                   System call whitelist defined for service, and @raw-io is not included
✓ SystemCallFilter=~@reboot                                   System call whitelist defined for service, and @reboot is not included
✓ SystemCallFilter=~@swap                                     System call whitelist defined for service, and @swap is not included
✓ SystemCallFilter=~@privileged                               System call whitelist defined for service, and @privileged is not included
✓ SystemCallFilter=~@resources                                System call whitelist defined for service, and @resources is not included
✓ AmbientCapabilities=                                        Service process does not receive ambient capabilities
✓ CapabilityBoundingSet=~CAP_AUDIT_*                          Service has no audit subsystem access
✓ CapabilityBoundingSet=~CAP_KILL                             Service cannot send UNIX signals to arbitrary processes
✓ CapabilityBoundingSet=~CAP_MKNOD                            Service cannot create device nodes
✓ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has no elevated networking privileges
✓ CapabilityBoundingSet=~CAP_SYSLOG                           Service has no access to kernel logging
✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE)              Service has no privileges to change resource use parameters
✓ RestrictNamespaces=~CLONE_NEWCGROUP                         Service cannot create cgroup namespaces
✓ RestrictNamespaces=~CLONE_NEWIPC                            Service cannot create IPC namespaces
✓ RestrictNamespaces=~CLONE_NEWNET                            Service cannot create network namespaces
✓ RestrictNamespaces=~CLONE_NEWNS                             Service cannot create file system namespaces
✓ RestrictNamespaces=~CLONE_NEWPID                            Service cannot create process namespaces
✓ RestrictRealtime=                                           Service realtime scheduling access is restricted
✓ SystemCallFilter=~@cpu-emulation                            System call whitelist defined for service, and @cpu-emulation is not included
✓ SystemCallFilter=~@obsolete                                 System call whitelist defined for service, and @obsolete is not included
✓ RestrictAddressFamilies=~AF_NETLINK                         Service cannot allocate netlink sockets
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                      0.1
✗ SupplementaryGroups=                                        Service runs with supplementary groups                                             0.1
✓ CapabilityBoundingSet=~CAP_MAC_*                            Service cannot adjust SMACK MAC
✓ CapabilityBoundingSet=~CAP_SYS_BOOT                         Service cannot issue reboot()
✓ Delegate=                                                   Service does not maintain its own delegated control group subtree
✓ LockPersonality=                                            Service cannot change ABI personality
✓ MemoryDenyWriteExecute=                                     Service cannot create writable executable memory mappings
✓ RemoveIPC=                                                  Service user cannot leave SysV IPC objects around
✓ RestrictNamespaces=~CLONE_NEWUTS                            Service cannot create hostname namespaces
✓ UMask=                                                      Files created by service are accessible only by service's own user by default
✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE                  Service cannot mark files immutable
✓ CapabilityBoundingSet=~CAP_IPC_LOCK                         Service cannot lock memory into RAM
✓ CapabilityBoundingSet=~CAP_SYS_CHROOT                       Service cannot issue chroot()
✓ ProtectHostname=                                            Service cannot change system host/domainname
✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND                    Service cannot establish wake locks
✓ CapabilityBoundingSet=~CAP_LEASE                            Service cannot create file leases
✓ CapabilityBoundingSet=~CAP_SYS_PACCT                        Service cannot use acct()
✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG                   Service cannot issue vhangup()
✓ CapabilityBoundingSet=~CAP_WAKE_ALARM                       Service cannot program timers that wake up the system
✓ RestrictAddressFamilies=~AF_UNIX                            Service cannot allocate local sockets

→ Overall exposure level for fan_remote.service: 0.4 SAFE 😀

The ✗ ProtectClock= isn't intended, but I haven't been able to figure out what else in the service definition is overriding my ProtectClock=yes.

You might also like...
oneoff is a library for one-off types

OneOff OneOff is a library for one-off types use oneoff::OneOff; let left = OneOff::Left(1); let right = OneOff::Right(2); assert_eq!(left, OneOff:

Over-simplified, featherweight, open-source and easy-to-use authentication and authorization server.

concess ⚠️ Early Development: This is not production ready, yet. Do not use it for anything important. Introduction concess is a over-simplified, feat

Minimal and blazing-fast file server. For real, this time.

Zy Minimal and blazing-fast file server. For real, this time. Features Single Page Application support Partial responses (Range support) Cross-Origin

A minimal file exchange server designed for clients with browsers only.

XIAO-Files Xiao-Files is a minimal file exchange server designed for clients with browsers only. Example Let's say we have a host with IP 10.8.20.1, a

Yet another lightweight and easy to use HTTP(S) server

Raptor Web server Raptor is a HTTP server written in Rust with aims to use as little memory as possible and an easy configuration. It is built on top

A fast and lightweight HTTP server implementation in Rust.

server_nano A tiny, fast, and friendly web server written in rust and inspired by express. It uses may to coroutines Usage First, add this to your Car

Curated list of awesome projects and resources related to Rust and computer security

Awesome Rust Security Curated list of awesome projects and resources related to Rust and computer security Table of Contents Tools Web and Cloud Secur

An NTP implementation in Rust, supported by Internet Security Research Group's Prossimo project.

NTPD-rs NTPD-rs is an implementation of NTP completely written in Rust, with a focus on exposing a minimal attack surface. The project is currently in

Build some cyber security tools in Rust :crab: :rocket:

here we're trying to write some tools for cyber security in Rust because we don't have enough community for Rust in the cyber security field soo this

Comments
  • Bump notify-rust from 4.5.10 to 4.6.0

    Bump notify-rust from 4.5.10 to 4.6.0

    Bumps notify-rust from 4.5.10 to 4.6.0.

    Changelog

    Sourced from notify-rust's changelog.

    v4.6.0 (2022-12-04)

    Features

    • update zbus dependency to 3.x (8425c05)
    Commits
    • 575adae chore: bump version
    • 0c2a33c Merge pull request #162 from hoodie/feature/format
    • 6096c0a ci: rename commit message stage
    • f0bd27d ci: check fmt (via actions-rs)
    • 103ac2e ci: check fmt on PR
    • 8b8c8e8 style: apply default rustfmt
    • a779208 chore: remove custom fmt config
    • 6020bab Merge pull request #153 from hoodie/feature/hendriks/update-zbus-3
    • ada8859 chore: changelog
    • 7321f00 refactor: stop using deprecated proxy match api
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
  • Bump thiserror from 1.0.37 to 1.0.38

    Bump thiserror from 1.0.37 to 1.0.38

    Bumps thiserror from 1.0.37 to 1.0.38.

    Release notes

    Sourced from thiserror's releases.

    1.0.38

    • Documentation improvements
    Commits
    • 74bfe75 Release 1.0.38
    • cfc7d8c Update build status badge
    • db78fa2 Update ui test suite to nightly-2022-12-15
    • c25a710 Time out workflows after 45 minutes
    • 464e2e7 Merge pull request #200 from dtolnay/displayattr
    • 4b06a3e Add test of Display impl nested inside display attribute
    • 29ee95e Ui test changes for trybuild 1.0.66
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
Owner
Stephan Sokolow
My pre-June 2022 commits don't show up in the activity view because GitHub's "claim your commits" form never anticipated user.email being a URL to avoid spam
Stephan Sokolow
A tool to control the fan speed by monitoring the temperature of CPU via IPMI.

ipmi-fan-control A tool to control the fan speed by monitoring the temperature of CPU via IPMI. Why Our Dell R730 server's iDRAC is not works as expec

yinheli 9 Dec 29, 2022
A GUI Fan control utility for Linux.

TuxTempMaster For now I'm gonna use this README to write the status of the project Important note This program is not gonna do any black magic. If you

Obscurely 12 Dec 23, 2022
A controller for the display and fan of the Raspberry Pi Waveshare PoE HAT written in Rust 🦀

???? RustBerry-PoE-Monitor RustBerry-PoE-Monitor is a Rust-based monitoring and control tool for the Raspberry Pi, specifically designed for use with

jack 5 Nov 27, 2023
Play videos on IT8951-controlled e-paper displays

it8951-video Play videos on IT8951-controlled e-paper displays via USB. This has been tested with a Waveshare 7.8inch e-Paper HAT display. Design This

Andreas Dzialocha 4 Nov 28, 2022
miniserve - a CLI tool to serve files and dirs over HTTP

?? For when you really just want to serve some files over HTTP right now!

Sven-Hendrik Haase 4.1k Jan 6, 2023
Shell scripting that will knock your socks off

atom Shell scripting that will knock your socks off. NOTE: Click the image above for a video demonstration.

adam mcdaniel 256 Dec 14, 2022
CLI program for sending one-off requests to the VTube Studio API

vtubestudio-cli (vts) CLI program for sending one-off requests to the VTube Studio API. It connects to the websocket, authenticates, performs one or t

null 2 Nov 24, 2021
An easy-to-use TUI crate for Rust, based off of the Elm architecture.

Rustea An easy-to-use TUI crate for Rust, based off of the Elm architecture. This is a re-implementation of Go's Tea, created by TJ Holowaychuk. Featu

Laz 82 Dec 21, 2022
Following "ZK HACK III - Building On-chain Apps Off-chain Using RISC Zero"

RISC Zero Rust Starter Template Welcome to the RISC Zero Rust Starter Template! This template is intended to give you a starting point for building a

drCathieSo.eth 3 Dec 22, 2022
🎨✨ Show off your soothing color palette

?? Show off your soothing color palette ✨ Palettes · install · contribute · Gratitute ?? Palettes Rust C Lua Ruby Go sh js ?? install Installing this

BinaryBrainiacs 4 Jan 28, 2023