Bugzilla – Bug 1226083
AUDIT-WHITELIST: valkey: new sysctl files and user+group
Last modified: 2024-06-13 07:38:36 UTC
I've submitted Valkey (a community-developed fork of Redis) to Factory (https://build.opensuse.org/request/show/1179160), but the submission build bombs out in staging with the following error: [ 340s] valkey.x86_64: E: sysctl-file-unauthorized (Badness: 10000) /usr/lib/sysctl.d/00-valkey.conf (sha256 file digest default filter:0808640fa6dadb334bb6efacea7cf703095f9e44e964186cff673ca5e192fecc shell filter:7642699dc64ccba77154ede500b8657989cbe0e82c67753a3df8c334efa0a8f8 xml filter:<failed-to-calculate>) [ 340s] Packaging sysctl.d drop-in configuration files requires a review and [ 340s] whitelisting by the SUSE security team. If the package is intended for [ 340s] inclusion in any SUSE product please open a bug report to request review of [ 340s] the package by the security team. Please refer to [ 340s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 340s] more information. [ 340s] [ 340s] valkey.x86_64: W: non-standard-uid /run/valkey valkey [ 340s] valkey.x86_64: W: non-standard-uid /var/lib/valkey valkey [ 340s] valkey.x86_64: W: non-standard-uid /var/lib/valkey/default valkey [ 340s] valkey.x86_64: W: non-standard-uid /var/log/valkey valkey [ 340s] A file in this package is owned by an unregistered user id. To register the [ 340s] user, please make a pull request to the rpmlint config file [ 340s] configs/openSUSE/users-groups.toml in the rpmlint repository. [ 340s] [ 340s] valkey.x86_64: W: non-standard-gid /etc/valkey valkey [ 340s] valkey.x86_64: W: non-standard-gid /etc/valkey/default.conf.example valkey [ 340s] valkey.x86_64: W: non-standard-gid /etc/valkey/sentinel.conf.example valkey [ 340s] valkey.x86_64: W: non-standard-gid /run/valkey valkey [ 340s] valkey.x86_64: W: non-standard-gid /var/lib/valkey valkey [ 340s] valkey.x86_64: W: non-standard-gid /var/lib/valkey/default valkey [ 340s] valkey.x86_64: W: non-standard-gid /var/log/valkey valkey [ 340s] A file in this package is owned by an unregistered group id. To register the [ 340s] group, please make a pull request to the rpmlint config file [ 340s] configs/openSUSE/users-groups.toml in the rpmlint repository. I leveraged the original Redis packaging in openSUSE as the basis of the Valkey package. The sysctl file in here is the same file as in the Redis package, with only the word "redis" replaced with "valkey" in the text. The user and group is basically the same definition with "redis" replaced with "valkey". I'd like this to be whitelisted so that it can land in Factory.
Thanks for the bug report. We will schedule it in our team shortly.
Just a quick update: we are working on it and expect to finish the review today.
OBS project: server:database/valkey Upstream: https://github.com/valkey-io/valkey Original upstream: https://github.com/redis/redis We concluded our initial review. Due to the size and complexity, a full audit of valkey was not feasible at this point. We focused our review on a few key points: - differences from the original redis - sysctl settings - systemd unit - file system permissions - default config ### Differences from the original Redis valkey-7.2.4 is an exact copy of redis-7.2.4. The first differences arise with (this) release 7.2.5. We went through the complete diff and found no obvious security-related changes. Most changes are just debranding and API compatibility fixes. There were a few commits missing in valkey-7.2.5 (compared to redis-7.2.5): - Missing fix for: https://github.com/redis/redis/issues/12864 - Missing unit tests for: https://github.com/redis/redis/pull/13004 - Missing bug fix: https://github.com/redis/redis/commit/b3aaa0a1362d229ba1ecd44629655f76c77304ec - Missing bug fix: https://github.com/redis/redis/commit/bad33f8738b4be5f58c4439a0c78312e4afbe432 - Missing bug fix: https://github.com/redis/redis/commit/1e8dc1da0de0add40d56fcbab9b64a3c5e61b6dd As far as we can tell, none of this is security-related. OK from a security PoV. ### sysctl settings The two sysctl settings are identical to Redis. It's a bit unfortunate that `vm.overcommit_memory=1` is set system-wide just by installing this package. As it was already noted by mgerstner in another bug, it would be an improvement to just set this sysctl option in a systemd unit, when valkey is actually started. If valkey ran as root, it would be simple with ``` ExecStartPre=sysctl vm.overcommit_memory=1 ``` However, since the valkey service (correctly) drops its privileges, this would have to be implemented in a separate systemd unit. Not a problem from a security PoV though. OK from our side. ### systemd unit Upstream's systemd unit lacks systemd hardenings and doesn't drop privileges by default but fortunately the (open)SUSE package ships its own much improved systemd. Good! I tested a few additional hardenings with no apparent problems: ``` --- valkey@.service.orig 2024-06-11 11:13:59.169323953 +0200 +++ valkey@.service 2024-06-06 20:26:20.000000000 +0200 @@ -8,8 +8,6 @@ User=valkey Group=valkey PrivateTmp=true -# added automatically, for details please see -# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ProtectSystem=full ProtectHome=true PrivateDevices=true @@ -20,7 +18,11 @@ ProtectKernelLogs=true ProtectControlGroups=true RestrictRealtime=true -# end of automatic additions +MemoryDenyWriteExecute=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=true +RestrictSUIDSGID=true + PIDFile=/run/valkey/%i.pid ExecStart=/usr/bin/val ``` ``` --- valkey-sentinel@.service.orig 2024-06-11 11:15:04.960116608 +0200 +++ valkey-sentinel@.service 2024-06-11 11:15:35.650486709 +0200 @@ -8,8 +8,6 @@ User=valkey Group=valkey PrivateTmp=true -# added automatically, for details please see -# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ProtectSystem=full ProtectHome=true PrivateDevices=true @@ -20,7 +18,11 @@ ProtectKernelLogs=true ProtectControlGroups=true RestrictRealtime=true -# end of automatic additions +MemoryDenyWriteExecute=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=true +RestrictSUIDSGID=true + ReadWritePaths=/etc/valkey PIDFile=/run/valkey/sentinel-%i.pid ExecStart=/usr/bin/valkey-sentinel /etc/valkey/sentinel-%i.conf ``` It would be great if you could include these changes, even though they're not strictly necessary. We will whitelist the package either way. ### File system permissions No problems here. OK. ### Default config Valkey's default config is well-documented with sane defaults. - Binds to localhost only by default. Good! - In all cases where the user is asked to create files or directories, correct file system permissions are mentioned. Good! ## Summary We might conduct an in-depth audit in the future, but for now we can safely whitelist this package.
Whitelisting in progress: https://github.com/rpm-software-management/rpmlint/pull/1236 It might take a while until it lands in openSUSE:Factory, but usually not more than 1-2 days.
https://build.opensuse.org/request/show/1180036
Request accepted into openSUSE:Factory