aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorMichael Koppmann <me@mkoppmann.at>2018-12-15 16:04:23 +0000
committerRigel Kent <par@rigelk.eu>2018-12-15 17:04:23 +0100
commita46934c825d5dea4154fb100abf26ec3bc28d5a4 (patch)
tree0a93477d6463e45e5c51359e286cdc0308fc2a8b
parentab4dbe36579f6d92511e78cae2762c49a97001fe (diff)
downloadPeerTube-a46934c825d5dea4154fb100abf26ec3bc28d5a4.tar.gz
PeerTube-a46934c825d5dea4154fb100abf26ec3bc28d5a4.tar.zst
PeerTube-a46934c825d5dea4154fb100abf26ec3bc28d5a4.zip
more systemd service hardening (#1488)
-rw-r--r--support/systemd/peertube.service5
1 files changed, 5 insertions, 0 deletions
diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service
index c1bdcf760..fba644788 100644
--- a/support/systemd/peertube.service
+++ b/support/systemd/peertube.service
@@ -28,6 +28,11 @@ PrivateDevices=false
28; Ensures that the service process and all its children can never gain new 28; Ensures that the service process and all its children can never gain new
29; privileges through execve(). 29; privileges through execve().
30NoNewPrivileges=true 30NoNewPrivileges=true
31; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
32; by this unit. Make sure that you do not depend on data inside these folders.
33ProtectHome=true
34; Drops the sys admin capability from the daemon.
35CapabilityBoundingSet=~CAP_SYS_ADMIN
31 36
32[Install] 37[Install]
33WantedBy=multi-user.target 38WantedBy=multi-user.target