danwin1210/hosting
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Introduce systemd.exec restrictions for better security

Browse Source
This commit is contained in:
Daniel Winzen
2018-12-07 21:54:44 +01:00
parent 8e155012a7
commit 4f6539b31d
8 changed files with 120 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
etc/systemd/system/dovecot.service.d/custom.conf Normal file
View File

@ -0,0 +1,17 @@
[Service]
LimitNOFILE=100000
ProtectSystem=strict
PrivateTmp=true
NoNewPrivileges=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
BindPaths=/run/dovecot/
BindPaths=/var/run/dovecot/
BindPaths=/var/lib/dovecot/
InaccessiblePaths=/var/www/
InaccessiblePaths=/root/

16
etc/systemd/system/mariadb.service.d/custom.conf
View File

@ -1,2 +1,18 @@
[Service] [Service]
LimitNOFILE=100000 LimitNOFILE=100000
ProtectSystem=strict
PrivateTmp=true
NoNewPrivileges=true
ProtectHome=true
PrivateDevices=true
PrivateUsers=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
SystemCallArchitectures=native
BindPaths=/var/log/mysql/
BindPaths=/var/lib/mysql/
BindPaths=/var/run/mysqld/
BindPaths=/run/mysqld/
InaccessiblePaths=/var/www/

14
etc/systemd/system/nginx.service.d/custom.conf
View File

@ -6,3 +6,17 @@ ExecStop=-/sbin/start-stop-daemon --quiet --stop --pidfile /run/nginx.pid
ExecStartPre= ExecStartPre=
ExecStartPre=/usr/bin/install -Z -m 02755 -o www-data -g www-data -d /var/run/nginx ExecStartPre=/usr/bin/install -Z -m 02755 -o www-data -g www-data -d /var/run/nginx
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ProtectSystem=strict
PrivateTmp=true
NoNewPrivileges=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
SystemCallArchitectures=native
BindPaths=/var/log/nginx/
BindPaths=/var/lib/nginx/
BindPaths=/var/run/
BindPaths=/run/
InaccessiblePaths=/root/

14
etc/systemd/system/php7.3-fpm@.service
View File

@ -12,6 +12,20 @@ ExecStart=/usr/sbin/php-fpm7.3 --nodaemonize --fpm-config /etc/php/7.3/fpm/php-f
ExecReload=/bin/kill -USR2 $MAINPID ExecReload=/bin/kill -USR2 $MAINPID
LimitNOFILE=100000 LimitNOFILE=100000
TimeoutStartSec=300 TimeoutStartSec=300
ProtectSystem=strict
PrivateTmp=true
# sendmail requires it... enable once chrooted
#NoNewPrivileges=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
SystemCallArchitectures=native
BindPaths=/var/log/
BindPaths=/var/run/php/
BindPaths=/run/php/
InaccessiblePaths=/root/
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

16
etc/systemd/system/php7.3-fpm@default.service
View File

@ -12,6 +12,22 @@ ExecStart=/usr/sbin/php-fpm7.3 --nodaemonize --fpm-config /etc/php/7.3/fpm/php-f
ExecReload=/bin/kill -USR2 $MAINPID ExecReload=/bin/kill -USR2 $MAINPID
LimitNOFILE=100000 LimitNOFILE=100000
TimeoutStartSec=300 TimeoutStartSec=300
ProtectSystem=strict
PrivateTmp=true
# sendmail requires it... enable once chrooted
#NoNewPrivileges=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
SystemCallArchitectures=native
BindPaths=/var/log/
BindPaths=/var/run/php/
BindPaths=/run/php/
BindPaths=/var/lib/php/sessions
BindPaths=/var/local/squirrelmail/
InaccessiblePaths=/root/
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

15
etc/systemd/system/postfix.service.d/custom.conf Normal file
View File

@ -0,0 +1,15 @@
[Service]
ProtectSystem=strict
PrivateTmp=true
NoNewPrivileges=true
PrivateDevices=true
#PrivateUsers=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
BindPaths=/var/spool/
BindPaths=/var/lib/postfix/
InaccessiblePaths=/var/www/

15
etc/systemd/system/postfix@.service.d/custom.conf Normal file
View File

@ -0,0 +1,15 @@
[Service]
ProtectSystem=strict
PrivateTmp=true
NoNewPrivileges=true
PrivateDevices=true
#PrivateUsers=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
BindPaths=/var/spool/
BindPaths=/var/lib/
InaccessiblePaths=/var/www/

13
etc/systemd/system/vsftpd.service.d/custom.conf Normal file
View File

@ -0,0 +1,13 @@
[Service]
ProtectSystem=strict
PrivateTmp=true
NoNewPrivileges=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
InaccessiblePaths=/var/www/
InaccessiblePaths=/root/