Introduce systemd.exec restrictions for better security

2018-12-07 21:54:44 +01:00
parent 8e155012a7
commit 4f6539b31d
8 changed files with 120 additions and 0 deletions
--- a/etc/systemd/system/php7.3-fpm@default.service
+++ b/etc/systemd/system/php7.3-fpm@default.service
@ -12,6 +12,22 @@ ExecStart=/usr/sbin/php-fpm7.3 --nodaemonize --fpm-config /etc/php/7.3/fpm/php-f
 ExecReload=/bin/kill -USR2 $MAINPID
 LimitNOFILE=100000
 TimeoutStartSec=300
+ProtectSystem=strict
+PrivateTmp=true
+# sendmail requires it... enable once chrooted
+#NoNewPrivileges=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+LockPersonality=true
+SystemCallArchitectures=native
+BindPaths=/var/log/
+BindPaths=/var/run/php/
+BindPaths=/run/php/
+BindPaths=/var/lib/php/sessions
+BindPaths=/var/local/squirrelmail/
+InaccessiblePaths=/root/

 [Install]
 WantedBy=multi-user.target