From c9b2bf0ad8bfb0ebb756bd587787dbb402449a22 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Mon, 23 Dec 2019 17:52:27 +0530 Subject: [PATCH] systemd: Configure security options Signed-off-by: Harsh Shandilya --- systemd_units/daas.service | 4 ++++ systemd_units/gitea.service | 4 ++++ systemd_units/mirror-bot-2.service | 1 - systemd_units/mirror-bot.service | 1 - 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/systemd_units/daas.service b/systemd_units/daas.service index 52e2212..fb98477 100644 --- a/systemd_units/daas.service +++ b/systemd_units/daas.service @@ -12,6 +12,10 @@ User=caddy Group=caddy ExecStart=/usr/local/bin/daas Restart=always +PrivateTmp=true +PrivateDevices=true +ProtectHome=true +ProtectSystem=full [Install] WantedBy=multi-user.target diff --git a/systemd_units/gitea.service b/systemd_units/gitea.service index bb8a3d9..7d34e09 100644 --- a/systemd_units/gitea.service +++ b/systemd_units/gitea.service @@ -15,6 +15,10 @@ WorkingDirectory=/var/lib/gitea/ ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini Restart=always Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea +PrivateTmp=true +PrivateDevices=true +ProtectSystem=full +ReadWriteDirectories=/var/lib/gitea CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE diff --git a/systemd_units/mirror-bot-2.service b/systemd_units/mirror-bot-2.service index 0f87da2..2dfaa3e 100644 --- a/systemd_units/mirror-bot-2.service +++ b/systemd_units/mirror-bot-2.service @@ -15,7 +15,6 @@ KillSignal=SIGQUIT TimeoutStopSec=5s PrivateTmp=true PrivateDevices=true -ProtectSystem=full [Install] WantedBy=multi-user.target diff --git a/systemd_units/mirror-bot.service b/systemd_units/mirror-bot.service index 6684587..12cd4f0 100644 --- a/systemd_units/mirror-bot.service +++ b/systemd_units/mirror-bot.service @@ -15,7 +15,6 @@ KillSignal=SIGQUIT TimeoutStopSec=5s PrivateTmp=true PrivateDevices=true -ProtectSystem=full [Install] WantedBy=multi-user.target