From 3114c2c2cc1009ac88f043f97927b300710ef29e Mon Sep 17 00:00:00 2001 From: Rigel Kent Date: Wed, 5 Dec 2018 19:39:48 +0100 Subject: hardening systemd unit --- support/systemd/peertube.service | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'support/systemd/peertube.service') diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service index 88856385c..c1bdcf760 100644 --- a/support/systemd/peertube.service +++ b/support/systemd/peertube.service @@ -15,5 +15,19 @@ StandardError=syslog SyslogIdentifier=peertube Restart=always +; Some security directives. +; Use private /tmp and /var/tmp folders inside a new file system namespace, +; which are discarded after the process stops. +PrivateTmp=true +; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. +ProtectSystem=full +; Sets up a new /dev mount for the process and only adds API pseudo devices +; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled +; by default because it may not work on devices like the Raspberry Pi. +PrivateDevices=false +; Ensures that the service process and all its children can never gain new +; privileges through execve(). +NoNewPrivileges=true + [Install] WantedBy=multi-user.target -- cgit v1.2.3 From a46934c825d5dea4154fb100abf26ec3bc28d5a4 Mon Sep 17 00:00:00 2001 From: Michael Koppmann Date: Sat, 15 Dec 2018 16:04:23 +0000 Subject: more systemd service hardening (#1488) --- support/systemd/peertube.service | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'support/systemd/peertube.service') diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service index c1bdcf760..fba644788 100644 --- a/support/systemd/peertube.service +++ b/support/systemd/peertube.service @@ -28,6 +28,11 @@ PrivateDevices=false ; Ensures that the service process and all its children can never gain new ; privileges through execve(). NoNewPrivileges=true +; This makes /home, /root, and /run/user inaccessible and empty for processes invoked +; by this unit. Make sure that you do not depend on data inside these folders. +ProtectHome=true +; Drops the sys admin capability from the daemon. +CapabilityBoundingSet=~CAP_SYS_ADMIN [Install] WantedBy=multi-user.target -- cgit v1.2.3