more systemd service hardening (#1488)

author Michael Koppmann <me@mkoppmann.at>

Sat, 15 Dec 2018 16:04:23 +0000 (16:04 +0000)

committer Rigel Kent <par@rigelk.eu>

Sat, 15 Dec 2018 16:04:23 +0000 (17:04 +0100)
author Michael Koppmann <me@mkoppmann.at>
Sat, 15 Dec 2018 16:04:23 +0000 (16:04 +0000)
committer Rigel Kent <par@rigelk.eu>
Sat, 15 Dec 2018 16:04:23 +0000 (17:04 +0100)
diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service

index c1bdcf760b71e74aaf35405e8d6a211990376e26..fba644788dc08edace817d455cb514d7485c8159 100644 (file)
--- a/support/systemd/peertube.service
+++ b/support/systemd/peertube.service
@@ -28,6 +28,11 @@ PrivateDevices=false
  ; Ensures that the service process and all its children can never gain new
  ; privileges through execve().
  NoNewPrivileges=true
+; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
+; by this unit. Make sure that you do not depend on data inside these folders.
+ProtectHome=true
+; Drops the sys admin capability from the daemon.
+CapabilityBoundingSet=~CAP_SYS_ADMIN
  
  [Install]
  WantedBy=multi-user.target
author	Michael Koppmann <me@mkoppmann.at>
	Sat, 15 Dec 2018 16:04:23 +0000 (16:04 +0000)
committer	Rigel Kent <par@rigelk.eu>
	Sat, 15 Dec 2018 16:04:23 +0000 (17:04 +0100)