Set ProtectHome in systemd service file
Further hardening; the service should be run with as many restrictions as possible without breaking it.
This commit is contained in:
setpill
parent
639a416e37
commit
870d4152df
|
|
@ -58,6 +58,9 @@ PrivateTmp=true
|
|||
# Mount /usr, /boot/ and /etc read-only for the process.
|
||||
ProtectSystem=full
|
||||
|
||||
# Deny access to /home, /root and /run/user
|
||||
ProtectHome=true
|
||||
|
||||
# Disallow the process and all of its children to gain
|
||||
# new privileges through execve().
|
||||
NoNewPrivileges=true
|
||||
|
|
|
|||
Loading…
Reference in a new issue