From eefafb54ef3fbc0f2bf146e5fdefe75bdc154a69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sun, 15 May 2022 08:58:32 +0200
Subject: [PATCH 1/2] nixos/upterm: additional hardening

Before:
$ ps aux | grep upterm
root     2575046  0.0  0.0 1085080 6968 ?        Ssl  07:03   0:00 /nix/store/ci97r1lqx4128w75k7dcsw82j5bl0n3g-upterm-0.8.2/bin/uptermd --ssh-addr [::]:2323 --private-key ssh_host_ed25519_key

After
$ ps aux | grep upterm
uptermd  2832993  0.4  0.0 1158812 6856 ?        Ssl  07:08   0:00 /nix/store/ci97r1lqx4128w75k7dcsw82j5bl0n3g-upterm-0.8.2/bin/uptermd --ssh-addr [::]:2323 --private-key ssh_host_ed25519_key
---
 nixos/modules/services/networking/uptermd.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/networking/uptermd.nix b/nixos/modules/services/networking/uptermd.nix
index 072f561f5c3..b845a00649e 100644
--- a/nixos/modules/services/networking/uptermd.nix
+++ b/nixos/modules/services/networking/uptermd.nix
@@ -85,6 +85,7 @@ in
         AmbientCapabilities = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
         CapabilityBoundingSet = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
         PrivateUsers = cfg.port >= 1024;
+        DynamicUser = true;
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
         PrivateDevices = true;
@@ -95,7 +96,9 @@ in
         ProtectKernelLogs = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
-        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        ProtectProc = "invisible";
+        # AF_UNIX is for ssh-keygen, which relies on nscd to resolve the uid to a user
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
         SystemCallArchitectures = "native";

From 14e2c1e4fb972145bb2d8ed5f60a435fc3319276 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sun, 15 May 2022 09:52:39 +0200
Subject: [PATCH 2/2] nixos/upterm: fix race condition in test

---
 nixos/tests/uptermd.nix | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/nixos/tests/uptermd.nix b/nixos/tests/uptermd.nix
index b2ff9a1e0d9..d504ef06419 100644
--- a/nixos/tests/uptermd.nix
+++ b/nixos/tests/uptermd.nix
@@ -30,11 +30,14 @@ in
     server.wait_for_unit("uptermd.service")
     server.wait_for_unit("network-online.target")
 
+    # wait for upterm port to be reachable
+    client1.wait_until_succeeds("nc -z -v server 1337")
+
     # Add SSH hostkeys from the server to both clients
     # uptermd needs an '@cert-authority entry so we need to modify the known_hosts file
-    client1.execute("sleep 3; mkdir -p ~/.ssh && ssh -o StrictHostKeyChecking=no -p 1337 server ls")
+    client1.execute("mkdir -p ~/.ssh && ssh -o StrictHostKeyChecking=no -p 1337 server ls")
     client1.execute("echo @cert-authority $(cat ~/.ssh/known_hosts) > ~/.ssh/known_hosts")
-    client2.execute("sleep 3; mkdir -p ~/.ssh && ssh -o StrictHostKeyChecking=no -p 1337 server ls")
+    client2.execute("mkdir -p ~/.ssh && ssh -o StrictHostKeyChecking=no -p 1337 server ls")
     client2.execute("echo @cert-authority $(cat ~/.ssh/known_hosts) > ~/.ssh/known_hosts")
 
     client1.wait_for_unit("multi-user.target")