mirror of
https://github.com/processone/ejabberd.git
synced 2024-06-02 21:17:12 +02:00
2e28d06744
Restrict capabilities, have a private tmp directory, private /dev, and don't accessing file system locations that really shouldn't be accessed.
25 lines
542 B
Plaintext
25 lines
542 B
Plaintext
[Unit]
|
|
Description=XMPP Server
|
|
After=network.target
|
|
|
|
[Service]
|
|
User=ejabberd
|
|
Group=ejabberd
|
|
LimitNOFILE=16000
|
|
RestartSec=5
|
|
ExecStart=@ctlscriptpath@/ejabberdctl start
|
|
ExecStop=@ctlscriptpath@/ejabberdctl stop
|
|
ExecReload=@ctlscriptpath@/ejabberdctl reload_config
|
|
Type=oneshot
|
|
RemainAfterExit=yes
|
|
# The CAP_DAC_OVERRIDE capability is required for pam authentication to work
|
|
CapabilityBoundingSet=CAP_DAC_OVERRIDE
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectHome=true
|
|
ProtectSystem=full
|
|
NoNewPrivileges=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|