Harden systemd unit file
This commit is contained in:
Simon Marsh
parent
79081f79d2
commit
2d5839e044
GPG Key ID:
7B9FE8780CFB6593
@ -14,6 +14,17 @@ User=regsrv
|
|||||||
Group=registry
|
Group=registry
|
||||||
Type=simple
|
Type=simple
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
|
# service hardening
|
||||||
|
ProtectSystem=strict
|
||||||
|
ReadOnlyPaths=/home/regsrv/go/src/git.dn42.us/burble/dn42regsrv/StaticRoot
|
||||||
|
ReadWritePaths=/home/regsrv/registry
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
DevicePolicy=closed
|
||||||
|
MemoryDenyWriteExecute=yes
|
||||||
|
#
|
||||||
ExecStart=/home/regsrv/go/bin/dn42regsrv \
|
ExecStart=/home/regsrv/go/bin/dn42regsrv \
|
||||||
-s /home/regsrv/go/src/git.dn42.us/burble/dn42regsrv/StaticRoot \
|
-s /home/regsrv/go/src/git.dn42.us/burble/dn42regsrv/StaticRoot \
|
||||||
-d /home/regsrv/registry
|
-d /home/regsrv/registry
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user