From 8a1535ba0cb13f1e9a03e16eaf042c293e251f51 Mon Sep 17 00:00:00 2001 From: Tim Small Date: Mon, 31 May 2021 11:39:29 +0100 Subject: [PATCH] Improve commenting of systemd unit file based on review. --- examples/systemd/rest-server.service | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/examples/systemd/rest-server.service b/examples/systemd/rest-server.service index b0021a0..d56b052 100644 --- a/examples/systemd/rest-server.service +++ b/examples/systemd/rest-server.service @@ -5,15 +5,31 @@ After=network.target [Service] Type=simple +# You may prefer to use a different user or group on your system. User=www-data Group=www-data ExecStart=/usr/local/bin/rest-server --path /path/to/backups Restart=always RestartSec=5 + +# The following options are available (in systemd v247) to restrict the +# actions of the rest-server. + +# As a whole, the purpose of these are to provide an additional layer of +# security by mitigating any unknown security vulnerabilities which may exist +# in rest-server or in the libraries, tools and operating system components +# which it relies upon. + +# IMPORTANT! +# The following line must be customised to your individual requirements. +ReadWritePaths=/path/to/backups + # Makes created files group-readable, but inaccessible by others UMask=027 -# Recommended security enhancements using features present in systemd version 247 +# If your system doesn't support all of the features below (e.g. because of +# the use of an older version of systemd), you may wish to comment-out +# some of the lines below as appropriate. CapabilityBoundingSet= LockPersonality=true MemoryDenyWriteExecute=true @@ -31,7 +47,6 @@ ProtectKernelTunables=true ProtectProc=invisible ProtectHostname=true ProcSubset=pid -ReadWritePaths=/path/to/backups RemoveIPC=true RestrictNamespaces=true RestrictAddressFamilies=AF_INET AF_INET6