Document how Radicale can be sandboxed

[hdatma]

Hello,
#1: Python is a knife without safe handle: it makes it easy to cut yourself. A single line of Python at the unix terminal is good enough to turn any folder into a web page. How do you sandbox Radicale?
#2: Python uses 100MB of disk space. PyPy uses 99MB of disk space. How do you compile Radicale into a stand-alone installation?

[Unrud]

1. Radicale has no sandboxing built-in. Just use common practices.
   • Run it as an unprivileged user, that only has write access to the collection.
   • Make also sure that it can't read sensitive files (like home directories if it's running on your personal computer).
   • Be aware that the built-in webserver doesn't enforce any limits on connections, request sizes etc. and thus is prone to DOS attacks. You maybe want to set limits for CPU and RAM usage to protect the rest of the system from slowing down or even better use are real webserver.
2. CPython uses 25 MB on Debian. You could further reduce this by cherry-picking modules from the standard library.

[hdatma]

1. When using python to serve an internet port, strong sandboxing/chrooting should be in the project.
2. Python/CPython on OSX takes exactly 101.8 MB. Did anybody run Radicale under cython.org safely?

[kousu]

I see this as a documentation issue: document how to sandbox radicale under Linux, OS X, and FreeBSD and call it a day. Process privilege separation is a thing OSes are good at! Don't reinvent the wheel, etc.

[liZe]

I keep point 1 as a documentation issue.

[stephane-martin]

Systemd is your friend: http://0pointer.net/public/systemd-nluug-2014.pdf

I'll post an example later :)

[Unrud]

Systemd is your friend:

@hdatma said that he is using OSX. Having configuration examples for different init systems would be nice though..

[untitaker]

I don't see why Radicale is responsible for documenting this.

[hdatma]

Opened in 2016, this issue is still unresolved in 2024. It is now evident that Radicale is a LAN-only service, with lots of risk mitigations that must be applied but are still to be identified and resolved by the project. Delegating risk mitigation to the user, to the point that the documentation itself is missing a section on this problem, is a no go for me and a solid barrier to adoption.

[untitaker]

radicale clearly documents which ports it listens on. examples for various OSes on how to block ports are nice to have (mastodon has them) but absolutely not a requirement, and extremely rare in webservice docs in general. if you rely on pre-made iptables rules to secure your system adequately you should not expose it to the internet in the first place. LAN is less risky.

…

On Mon, Mar 11, 2024, at 10:35, Rupert wrote: Opened in 2016, this issue is still unresolved in 2024. It is now evident that Radicale is a LAN-only service, with lots of risk mitigations that must be applied but are still to be identified and resolved by the project. Delegating risk mitigation to the user, to the point that the documentation itself is missing a section on this problem, is a no go for me and a solid barrier to adoption. — Reply to this email directly, view it on GitHub <#421 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGMPRI465ABDSFOGUQWH4DYXV3FZAVCNFSM4CFRMSY2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJYG44TQMBSHEYQ>. You are receiving this because you commented.Message ID: ***@***.***>

[pbiering]

Nowadays, radicale is usually started by systemd and the example for the unit file configures already a bunch of security options:

https://github.com/Kozea/Radicale/blob/master/DOCUMENTATION.md
(search for systemd)

Or use radicale in a container.

@hdatma : if this is not enough level of security (nobody else claimed about so far), then please provide documentation how a higher security level can be reached using radicale or choose a different software which covers all your security needs.