diff options
| author | shibayashi <shibayashi@cypherpunk.observer> | 2018-10-25 00:37:31 +0200 |
|---|---|---|
| committer | shibayashi <shibayashi@cypherpunk.observer> | 2018-10-25 00:37:31 +0200 |
| commit | 0a58428de6096f3222dd30d1a1f186150c25f4f2 (patch) | |
| tree | e209d60d5f2a85b3f430c24820a22e6c5a4a509a | |
| parent | 945ce9910dc7b29147ec49af0bdb82202008c7c4 (diff) | |
| download | pleroma-0a58428de6096f3222dd30d1a1f186150c25f4f2.tar.gz pleroma-0a58428de6096f3222dd30d1a1f186150c25f4f2.zip | |
Add some security related directives to the systemd service example
| -rw-r--r-- | installation/pleroma.service | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/installation/pleroma.service b/installation/pleroma.service index fd4180985..e410764f3 100644 --- a/installation/pleroma.service +++ b/installation/pleroma.service @@ -11,5 +11,15 @@ ExecReload=/bin/kill $MAINPID KillMode=process Restart=on-failure +; Some security directives. +; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. +PrivateTmp=true +; This makes /usr, /boot, /etc read-only. +ProtectSystem=full +; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. +PrivateDevices=false +; Ensures that the service process and all its children can never gain new privileges through execve() +NoNewPrivileges=true + [Install] WantedBy=multi-user.target |