Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-06 22:30:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

systemd-security: add some easy wins

Browse Source 
We can tighten security by adding the following to
the systemd service file:

* NoNewPrivileges: should never be needed
* DevicePolicy: only basics required
* PrivateDevices: only needs mounted stuff, never devs
* ProtectSystem: no need to change boot
* RestrictAddressFamilies: INET, UNIX only

Signed-off-by: Marc <mail@lpcvoid.com>
This commit is contained in:
Marc
2022-01-15 11:03:51 +01:00
committed by Nicola Murino
parent 64d1ea2d89
commit 9b6b9cca3d
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
init/sftpgo.service
View File

@@ -17,6 +17,11 @@ KillMode=mixed
PrivateTmp=true PrivateTmp=true
Restart=always Restart=always
RestartSec=10s RestartSec=10s
NoNewPrivileges=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target