From: Michael Koppmann <me@mkoppmann.at>
Date: Sat, 15 Dec 2018 16:04:23 +0000 (+0000)
Subject: more systemd service hardening (#1488)
X-Git-Tag: v1.2.0-rc.1~68
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=a46934c825d5dea4154fb100abf26ec3bc28d5a4;p=oweals%2Fpeertube.git

more systemd service hardening (#1488)
---

diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service
index c1bdcf760..fba644788 100644
--- a/support/systemd/peertube.service
+++ b/support/systemd/peertube.service
@@ -28,6 +28,11 @@ PrivateDevices=false
 ; Ensures that the service process and all its children can never gain new
 ; privileges through execve().
 NoNewPrivileges=true
+; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
+; by this unit. Make sure that you do not depend on data inside these folders.
+ProtectHome=true
+; Drops the sys admin capability from the daemon.
+CapabilityBoundingSet=~CAP_SYS_ADMIN
 
 [Install]
 WantedBy=multi-user.target