Merge branch 'develop' into pr/1217

author: Chocobozzz <me@florianbigard.com> 2019-02-11 11:52:34 +0100
committer: Chocobozzz <me@florianbigard.com> 2019-02-11 11:52:34 +0100
commit: 88108880bbdba473cfe36ecbebc1c3c4f972e102 (patch)
tree: b242efb3b4f0d7e49d88f2d1f2063b5b3b0489c0 /support/systemd/peertube.service
parent: 53a94c7cfa8368da4cd248d65df8346905938f0c (diff)
parent: 9b712a2017e4ab3cf12cd6bd58278905520159d0 (diff)
download: PeerTube-88108880bbdba473cfe36ecbebc1c3c4f972e102.tar.gz
PeerTube-88108880bbdba473cfe36ecbebc1c3c4f972e102.tar.zst
PeerTube-88108880bbdba473cfe36ecbebc1c3c4f972e102.zip
1 files changed, 19 insertions, 0 deletions
diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service
index 88856385c..fba644788 100644
--- a/support/systemd/peertube.service
+++ b/support/systemd/peertube.service
@@ -15,5 +15,24 @@ StandardError=syslog
 SyslogIdentifier=peertube
 Restart=always
+; Some security directives.
+; Use private /tmp and /var/tmp folders inside a new file system namespace,
+; which are discarded after the process stops.
+PrivateTmp=true
+; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
+ProtectSystem=full
+; Sets up a new /dev mount for the process and only adds API pseudo devices
+; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
+; by default because it may not work on devices like the Raspberry Pi.
+PrivateDevices=false
+; Ensures that the service process and all its children can never gain new
+; privileges through execve().
+NoNewPrivileges=true
+; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
+; by this unit. Make sure that you do not depend on data inside these folders.
+ProtectHome=true
+; Drops the sys admin capability from the daemon.
+CapabilityBoundingSet=~CAP_SYS_ADMIN
 [Install]
 WantedBy=multi-user.target
author	Chocobozzz <me@florianbigard.com>	2019-02-11 11:52:34 +0100
committer	Chocobozzz <me@florianbigard.com>	2019-02-11 11:52:34 +0100
commit	88108880bbdba473cfe36ecbebc1c3c4f972e102 (patch)
tree	b242efb3b4f0d7e49d88f2d1f2063b5b3b0489c0 /support/systemd/peertube.service
parent	53a94c7cfa8368da4cd248d65df8346905938f0c (diff)
parent	9b712a2017e4ab3cf12cd6bd58278905520159d0 (diff)
download	PeerTube-88108880bbdba473cfe36ecbebc1c3c4f972e102.tar.gz PeerTube-88108880bbdba473cfe36ecbebc1c3c4f972e102.tar.zst PeerTube-88108880bbdba473cfe36ecbebc1c3c4f972e102.zip

diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service index 88856385c..fba644788 100644 --- a/support/systemd/peertube.service +++ b/support/systemd/peertube.service
@@ -15,5 +15,24 @@ StandardError=syslog
15	SyslogIdentifier=peertube	15	SyslogIdentifier=peertube
16	Restart=always	16	Restart=always
17		17
		18	; Some security directives.
		19	; Use private /tmp and /var/tmp folders inside a new file system namespace,
		20	; which are discarded after the process stops.
		21	PrivateTmp=true
		22	; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
		23	ProtectSystem=full
		24	; Sets up a new /dev mount for the process and only adds API pseudo devices
		25	; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
		26	; by default because it may not work on devices like the Raspberry Pi.
		27	PrivateDevices=false
		28	; Ensures that the service process and all its children can never gain new
		29	; privileges through execve().
		30	NoNewPrivileges=true
		31	; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
		32	; by this unit. Make sure that you do not depend on data inside these folders.
		33	ProtectHome=true
		34	; Drops the sys admin capability from the daemon.
		35	CapabilityBoundingSet=~CAP_SYS_ADMIN
		36
18	[Install]	37	[Install]
19	WantedBy=multi-user.target	38	WantedBy=multi-user.target