mirror of
https://github.com/processone/ejabberd.git
synced 2024-11-24 16:23:40 +01:00
Harden the systemd unit
Restrict capabilities, have a private tmp directory, private /dev, and don't accessing file system locations that really shouldn't be accessed.
This commit is contained in:
parent
3446aba753
commit
2e28d06744
@ -12,6 +12,13 @@ ExecStop=@ctlscriptpath@/ejabberdctl stop
|
|||||||
ExecReload=@ctlscriptpath@/ejabberdctl reload_config
|
ExecReload=@ctlscriptpath@/ejabberdctl reload_config
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
RemainAfterExit=yes
|
RemainAfterExit=yes
|
||||||
|
# The CAP_DAC_OVERRIDE capability is required for pam authentication to work
|
||||||
|
CapabilityBoundingSet=CAP_DAC_OVERRIDE
|
||||||
|
PrivateTmp=true
|
||||||
|
PrivateDevices=true
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectSystem=full
|
||||||
|
NoNewPrivileges=true
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
Loading…
Reference in New Issue
Block a user