Merge pull request #1178 from candrews/patch-1

Harden the systemd unit
2016-07-29 11:33:32 +02:00 · 2016-07-29 11:33:32 +02:00 · 3c58a93eb8
parent a080322055 2e28d06744
commit 3c58a93eb8
1 changed files with 7 additions and 0 deletions
--- a/ejabberd.service.template
+++ b/ejabberd.service.template
@ -12,6 +12,13 @@ ExecStop=@ctlscriptpath@/ejabberdctl stop
 ExecReload=@ctlscriptpath@/ejabberdctl reload_config
 Type=oneshot
 RemainAfterExit=yes
+# The CAP_DAC_OVERRIDE capability is required for pam authentication to work
+CapabilityBoundingSet=CAP_DAC_OVERRIDE
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+NoNewPrivileges=true

 [Install]
 WantedBy=multi-user.target