hardening systemd unit

author: Rigel Kent <sendmemail@rigelk.eu> 2018-12-05 19:39:48 +0100
committer: Chocobozzz <me@florianbigard.com> 2018-12-07 14:14:24 +0100
commit: 3114c2c2cc1009ac88f043f97927b300710ef29e (patch)
tree: b00bcc7ed8b770374faa9ced2fb793cbed144bcb
parent: 314141279db4826bf4862576b7e0df104834ad00 (diff)
download: PeerTube-3114c2c2cc1009ac88f043f97927b300710ef29e.tar.gz
PeerTube-3114c2c2cc1009ac88f043f97927b300710ef29e.tar.zst
PeerTube-3114c2c2cc1009ac88f043f97927b300710ef29e.zip
1 files changed, 14 insertions, 0 deletions
diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service
index 88856385c..c1bdcf760 100644
--- a/support/systemd/peertube.service
+++ b/support/systemd/peertube.service
@@ -15,5 +15,19 @@ StandardError=syslog
 SyslogIdentifier=peertube
 Restart=always
+; Some security directives.
+; Use private /tmp and /var/tmp folders inside a new file system namespace,
+; which are discarded after the process stops.
+PrivateTmp=true
+; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
+ProtectSystem=full
+; Sets up a new /dev mount for the process and only adds API pseudo devices
+; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
+; by default because it may not work on devices like the Raspberry Pi.
+PrivateDevices=false
+; Ensures that the service process and all its children can never gain new
+; privileges through execve().
+NoNewPrivileges=true
 [Install]
 WantedBy=multi-user.target
author	Rigel Kent <sendmemail@rigelk.eu>	2018-12-05 19:39:48 +0100
committer	Chocobozzz <me@florianbigard.com>	2018-12-07 14:14:24 +0100
commit	3114c2c2cc1009ac88f043f97927b300710ef29e (patch)
tree	b00bcc7ed8b770374faa9ced2fb793cbed144bcb
parent	314141279db4826bf4862576b7e0df104834ad00 (diff)
download	PeerTube-3114c2c2cc1009ac88f043f97927b300710ef29e.tar.gz PeerTube-3114c2c2cc1009ac88f043f97927b300710ef29e.tar.zst PeerTube-3114c2c2cc1009ac88f043f97927b300710ef29e.zip

diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service index 88856385c..c1bdcf760 100644 --- a/support/systemd/peertube.service +++ b/support/systemd/peertube.service
@@ -15,5 +15,19 @@ StandardError=syslog
15	SyslogIdentifier=peertube	15	SyslogIdentifier=peertube
16	Restart=always	16	Restart=always
17		17
		18	; Some security directives.
		19	; Use private /tmp and /var/tmp folders inside a new file system namespace,
		20	; which are discarded after the process stops.
		21	PrivateTmp=true
		22	; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
		23	ProtectSystem=full
		24	; Sets up a new /dev mount for the process and only adds API pseudo devices
		25	; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
		26	; by default because it may not work on devices like the Raspberry Pi.
		27	PrivateDevices=false
		28	; Ensures that the service process and all its children can never gain new
		29	; privileges through execve().
		30	NoNewPrivileges=true
		31
18	[Install]	32	[Install]
19	WantedBy=multi-user.target	33	WantedBy=multi-user.target