diff options
author | Michael Koppmann <me@mkoppmann.at> | 2018-12-15 16:04:23 +0000 |
---|---|---|
committer | Rigel Kent <par@rigelk.eu> | 2018-12-15 17:04:23 +0100 |
commit | a46934c825d5dea4154fb100abf26ec3bc28d5a4 (patch) | |
tree | 0a93477d6463e45e5c51359e286cdc0308fc2a8b | |
parent | ab4dbe36579f6d92511e78cae2762c49a97001fe (diff) | |
download | PeerTube-a46934c825d5dea4154fb100abf26ec3bc28d5a4.tar.gz PeerTube-a46934c825d5dea4154fb100abf26ec3bc28d5a4.tar.zst PeerTube-a46934c825d5dea4154fb100abf26ec3bc28d5a4.zip |
more systemd service hardening (#1488)
-rw-r--r-- | support/systemd/peertube.service | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service index c1bdcf760..fba644788 100644 --- a/support/systemd/peertube.service +++ b/support/systemd/peertube.service | |||
@@ -28,6 +28,11 @@ PrivateDevices=false | |||
28 | ; Ensures that the service process and all its children can never gain new | 28 | ; Ensures that the service process and all its children can never gain new |
29 | ; privileges through execve(). | 29 | ; privileges through execve(). |
30 | NoNewPrivileges=true | 30 | NoNewPrivileges=true |
31 | ; This makes /home, /root, and /run/user inaccessible and empty for processes invoked | ||
32 | ; by this unit. Make sure that you do not depend on data inside these folders. | ||
33 | ProtectHome=true | ||
34 | ; Drops the sys admin capability from the daemon. | ||
35 | CapabilityBoundingSet=~CAP_SYS_ADMIN | ||
31 | 36 | ||
32 | [Install] | 37 | [Install] |
33 | WantedBy=multi-user.target | 38 | WantedBy=multi-user.target |