From 20fe29aaf9f64850e21b1c0ced95278c7a4a4329 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Sat, 27 Jun 2015 21:43:26 +0200 Subject: add some extra security to systemd units --- systemd/pacdbserve.service | 4 ++++ systemd/pacredir.service | 4 ++++ systemd/pacserve.service | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/systemd/pacdbserve.service b/systemd/pacdbserve.service index aebd368..fcde113 100644 --- a/systemd/pacdbserve.service +++ b/systemd/pacdbserve.service @@ -6,6 +6,10 @@ After=network.target User=nobody Group=nobody ExecStart=/usr/bin/darkhttpd /var/lib/pacman/sync/ --port 7079 +ProtectSystem=full +ProtectHome=on +PrivateDevices=on +NoNewPrivileges=on [Install] WantedBy=multi-user.target diff --git a/systemd/pacredir.service b/systemd/pacredir.service index adb9087..2fa1328 100644 --- a/systemd/pacredir.service +++ b/systemd/pacredir.service @@ -7,6 +7,10 @@ After=avahi-daemon.service User=nobody Group=nobody ExecStart=/usr/bin/pacredir +ProtectSystem=full +ProtectHome=on +PrivateDevices=on +NoNewPrivileges=on [Install] WantedBy=multi-user.target diff --git a/systemd/pacserve.service b/systemd/pacserve.service index 74db6ef..6ec4aab 100644 --- a/systemd/pacserve.service +++ b/systemd/pacserve.service @@ -6,6 +6,10 @@ After=network.target User=nobody Group=nobody ExecStart=/usr/bin/darkhttpd /var/cache/pacman/pkg/ --port 7078 +ProtectSystem=full +ProtectHome=on +PrivateDevices=on +NoNewPrivileges=on [Install] WantedBy=multi-user.target -- cgit v1.2.3-70-g09d2