beenull/sftpgo-mirror
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2024-11-21 15:10:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

systemd-security: add some easy wins

Browse source 
We can tighten security by adding the following to
the systemd service file:

* NoNewPrivileges: should never be needed
* DevicePolicy: only basics required
* PrivateDevices: only needs mounted stuff, never devs
* ProtectSystem: no need to change boot
* RestrictAddressFamilies: INET, UNIX only

Signed-off-by: Marc <mail@lpcvoid.com>
This commit is contained in:
Marc 2022-01-15 11:03:51 +01:00 committed by Nicola Murino
parent 64d1ea2d89
commit 9b6b9cca3d
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
init/sftpgo.service
View file

@ -17,6 +17,11 @@ KillMode=mixed
PrivateTmp=true
Restart=always
RestartSec=10s
NoNewPrivileges=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
[Install]
WantedBy=multi-user.target