Add recommendations for secure deployment #41
Conversation
|
This is just a draft, I need to test the installation script to make sure the commands work. |
| @@ -30,6 +32,28 @@ Copy and adapt the [configuration](configuration.md) you want to use. | |||
| cp parsec/config.toml config.toml | |||
There was a problem hiding this comment.
Should the config file be in /tmp/parsec/ with permissions 700?
There was a problem hiding this comment.
Actually, that folder might be volatile 😞
There was a problem hiding this comment.
Yes! There are other permanent locations where the different files could go, that are used by other services, but the advantage of using the parsec user home folder and /tmp is that the installation steps rely less on using sudo.
| - The service needs to be running as a separate, trusted, user. Ideally the service would be running | ||
| as the `parsec` user (O-0). |
There was a problem hiding this comment.
I think if we do go and implement the check described in the last point, we have to be more strict here and say "The service must be running as the parsec user."
We should also add some notice of this somewhere in the Linux installation guide, if client libraries won't connect at all if these steps arent' taken
There was a problem hiding this comment.
Will change! Will also add a notice on the clients saying that those steps are essential for clients to successfully connect and verify the service.
|
Two remarks I have seen while testing the installation:
|
I'd be okay with that, maybe park the current state somewhere in case someone asks for this functionality? Or should we hide it behind a feature?
That's strange, when I check locally the file has |
Actually, there are no changes needed in the code but only in the systemd unit files! The code can still support that if anyone wants to use their custom unit files and use socket activation.
I guess it depends how the underlying C library is implemented, if the permission set up for a new socket is not standard 🤔 Yes, I think we can just use the filesystem API to set it ourselves. I implemented those changes in this draft PR. |
|
Something tells me the client change is needed first as a new version. |
Yes, all is just for review currently |
129039f to
5edef12
Compare
|
Made the client change in this one |
| ``` | ||
|
|
||
| In a deployment **without an Identity Provider**, create the `parsec-clients` group and set the | ||
| correct permissions on the socket folder. Mutually trusted Parsec Clients will need to be in that |
There was a problem hiding this comment.
What is meant by "mutually trusted" Parsec clients? The word "mutually" seems to suggest clients that trust each other. But if we really mean clients that are trusted by the service, then we can probably scrub the word "mutually" here.
There was a problem hiding this comment.
Yes, the idea is that the clients trust each other (i.e. they won't use each other's identities) - this is needed because if you have multiple clients and no identity provider, you must have some sort of trust in the other clients
There was a problem hiding this comment.
To add to what Ionut said, this is directly coming from operational mitigation 10 of the service TM:
A set of mutually trusted clients has restricted read-write access to the service IPC endpoint.
Since any client in that group can access the keys of the other ones, we seemed to think that the trust should be in between the clients.
There was a problem hiding this comment.
Added the following paragraph:
+Similarly to the threat model, this guide proposes different alternatives in case an Identity Provider
+is available or not. The role and description of an Identity Provider in Parsec is described in the
+[System Architecture](https://parallaxsecond.github.io/parsec-book/parsec_service/system_architecture.html) page.
+Currently, Parsec does not support integration with any Identity Provider. To securely install Parsec, please
+follow the steps of deployment **without an Identity Provider**.
| mkdir /tmp/parsec | ||
| ``` | ||
|
|
||
| In a deployment **without an Identity Provider**, create the `parsec-clients` group and set the |
There was a problem hiding this comment.
I think we need to set a bit of context here around identity provider, which may be an unfamiliar term and could confuse the reader. In fact, since we haven't integrated any identity providers yet, I'm wondering whether we should just assume the absence of it for now, and explain that the socket needs to be protected at deployment time because there is currently no runtime mechanism for Parsec to validate its clients. (We can then explain that future deployments will have more flexible means of protection, and talk about identity providers in that context). Without some context, I think there's a danger that these recommendations could seem arbitrary.
There was a problem hiding this comment.
Alright! We'll expand on the idea of Identity Provider
There was a problem hiding this comment.
I am personally more in favour of the option where we leave the Identity Provider sections but expand on what it is and the context. To do so, we can point out to the threat model where we make the same distinction of a deployment with and a without an IP:
Parsec could also be deployed in an environment where all clients trust each other and there is no Identity Provider present, and this would lead to some changes to the Threat Model. These changes will be written in italic.
And also point to the System Architecture where we explain what the Identity Provider is.
Having to create a parsec-clients group and adding each and every client that wants to use parsec in it is quite a burden for administrators so it is nice, I think, for them to see "the light at the end of the tunnel" when an IP would exist.
src/threat_model/threat_model.md
Outdated
| | 6 | Parsec configuration file should be only writable by the trusted administrator and readable by the service. | | ||
| | 7 | The trusted administrator needs to check that during the boot process the trusted identity provider has successfully given the root trust bundle to the service. | | ||
| | 8 | The hardware descriptors should only be accessible by trusted privileged processes. | | ||
| | 9 | The Listener endpoint should be contained in a location that only the Parsec service and the trusted administrator can access (only them can create the endpoint). | |
There was a problem hiding this comment.
"only them" should be "only they"
| | 7 | The trusted administrator needs to check that during the boot process the trusted identity provider has successfully given the root trust bundle to the service. | | ||
| | 8 | The hardware descriptors should only be accessible by trusted privileged processes. | | ||
| | 9 | The Listener endpoint should be contained in a location that only the Parsec service and the trusted administrator can access (only them can create the endpoint). | | ||
| | *10* | *A set of mutually trusted clients has restricted read-write access to the service IPC endpoint.* | |
There was a problem hiding this comment.
Again I'm confused by the sense of "mutual" here. Do we mean that the clients trust each other?
5edef12 to
7f8fa09
Compare
The recommendations list what an admin must do to install the service securely. Also modifies the installation guide to make it a secure deployment guide using systemd. Updates the guide to remove socket activation. Signed-off-by: Hugues de Valon <hugues.devalon@arm.com>
7f8fa09 to
f898833
Compare
Also modifies the installation guide to make it a secure deployment
guide using systemd.
Before this is merged, the necessary changes would have to be made across all our repositories:
/tmp/parsec/parsec.sock/tmp/parsecdirectory/tmp/parsecdirectory must be owned byparsecuser, group-owned byparsec-clientsand permissions be750. This will be secure by default but annoying for testing. We could add adevfeature which does not do that check, but disabled by default.