vh/rest-server
1
0
Fork 0
mirror of https://github.com/restic/rest-server.git synced 2025-12-07 09:36:13 -08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #149 from tim-seoss/systemd-unit-file-enhancement

Browse Source 
Improve security of example systemd unit file
This commit is contained in:
MichaelEischer
2021-06-05 14:37:42 +02:00
committed by GitHub
parent 1ca9ca7e50 2bf01df6bf
commit c36ae5fe03
2 changed files with 60 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
changelog/unreleased/issue-148 Normal file
View File

@@ -0,0 +1,8 @@
Enhancement: Expand use of security features in example systemd unit file
Additional systemd features have been used which may mitigate potential
security vulnerabilities in rest-server and the various packages and operating
system components which it relies upon.
https://github.com/restic/rest-server/issues/148
https://github.com/restic/rest-server/pull/149

54
examples/systemd/rest-server.service
View File

@@ -5,18 +5,68 @@ After=network.target
[Service] [Service]
Type=simple Type=simple
# You may prefer to use a different user or group on your system.
User=www-data User=www-data
Group=www-data Group=www-data
ExecStart=/usr/local/bin/rest-server --path /path/to/backups ExecStart=/usr/local/bin/rest-server --path /path/to/backups
Restart=always Restart=always
RestartSec=5 RestartSec=5
# Optional security enhancements # The following options are available (in systemd v247) to restrict the
# actions of the rest-server.
# As a whole, the purpose of these are to provide an additional layer of
# security by mitigating any unknown security vulnerabilities which may exist
# in rest-server or in the libraries, tools and operating system components
# which it relies upon.
# IMPORTANT!
# The following line must be customised to your individual requirements.
ReadWritePaths=/path/to/backups
# Makes created files group-readable, but inaccessible by others
UMask=027
# If your system doesn't support all of the features below (e.g. because of
# the use of an older version of systemd), you may wish to comment-out
# some of the lines below as appropriate.
CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateTmp=yes PrivateTmp=yes
PrivateDevices=true
PrivateUsers=true
ProtectSystem=strict ProtectSystem=strict
ProtectHome=yes ProtectHome=yes
ReadWritePaths=/path/to/backups ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectHostname=true
RemoveIPC=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictSUIDSGID=true
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Additionally, you may wish to use some of the systemd options documented in
# systemd.resource-control(5) to limit the CPU, memory, file-system I/O and
# network I/O that the rest-server is permitted to consume according to the
# individual requirements of your installation.
#CPUQuota=25%
#MemoryMax=bytes
#MemorySwapMax=bytes
#TasksMax=N
#IOReadBandwidthMax=device bytes
#IOWriteBandwidthMax=device bytes
#IOReadIOPSMax=device IOPS, IOWriteIOPSMax=device IOPS
#IPAccounting=true
#IPAddressAllow=
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target