Introduce systemd.exec restrictions for better security
This commit is contained in:
Daniel Winzen
17
etc/systemd/system/dovecot.service.d/custom.conf
Normal file
17
etc/systemd/system/dovecot.service.d/custom.conf
Normal file
@ -0,0 +1,17 @@
|
||||
[Service]
|
||||
LimitNOFILE=100000
|
||||
ProtectSystem=strict
|
||||
PrivateTmp=true
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
SystemCallArchitectures=native
|
||||
BindPaths=/run/dovecot/
|
||||
BindPaths=/var/run/dovecot/
|
||||
BindPaths=/var/lib/dovecot/
|
||||
InaccessiblePaths=/var/www/
|
||||
InaccessiblePaths=/root/
|
||||
@ -1,2 +1,18 @@
|
||||
[Service]
|
||||
LimitNOFILE=100000
|
||||
ProtectSystem=strict
|
||||
PrivateTmp=true
|
||||
NoNewPrivileges=true
|
||||
ProtectHome=true
|
||||
PrivateDevices=true
|
||||
PrivateUsers=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
LockPersonality=true
|
||||
SystemCallArchitectures=native
|
||||
BindPaths=/var/log/mysql/
|
||||
BindPaths=/var/lib/mysql/
|
||||
BindPaths=/var/run/mysqld/
|
||||
BindPaths=/run/mysqld/
|
||||
InaccessiblePaths=/var/www/
|
||||
|
||||
@ -6,3 +6,17 @@ ExecStop=-/sbin/start-stop-daemon --quiet --stop --pidfile /run/nginx.pid
|
||||
ExecStartPre=
|
||||
ExecStartPre=/usr/bin/install -Z -m 02755 -o www-data -g www-data -d /var/run/nginx
|
||||
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
|
||||
ProtectSystem=strict
|
||||
PrivateTmp=true
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
LockPersonality=true
|
||||
SystemCallArchitectures=native
|
||||
BindPaths=/var/log/nginx/
|
||||
BindPaths=/var/lib/nginx/
|
||||
BindPaths=/var/run/
|
||||
BindPaths=/run/
|
||||
InaccessiblePaths=/root/
|
||||
|
||||
@ -12,6 +12,20 @@ ExecStart=/usr/sbin/php-fpm7.3 --nodaemonize --fpm-config /etc/php/7.3/fpm/php-f
|
||||
ExecReload=/bin/kill -USR2 $MAINPID
|
||||
LimitNOFILE=100000
|
||||
TimeoutStartSec=300
|
||||
ProtectSystem=strict
|
||||
PrivateTmp=true
|
||||
# sendmail requires it... enable once chrooted
|
||||
#NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
LockPersonality=true
|
||||
SystemCallArchitectures=native
|
||||
BindPaths=/var/log/
|
||||
BindPaths=/var/run/php/
|
||||
BindPaths=/run/php/
|
||||
InaccessiblePaths=/root/
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
@ -12,6 +12,22 @@ ExecStart=/usr/sbin/php-fpm7.3 --nodaemonize --fpm-config /etc/php/7.3/fpm/php-f
|
||||
ExecReload=/bin/kill -USR2 $MAINPID
|
||||
LimitNOFILE=100000
|
||||
TimeoutStartSec=300
|
||||
ProtectSystem=strict
|
||||
PrivateTmp=true
|
||||
# sendmail requires it... enable once chrooted
|
||||
#NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
LockPersonality=true
|
||||
SystemCallArchitectures=native
|
||||
BindPaths=/var/log/
|
||||
BindPaths=/var/run/php/
|
||||
BindPaths=/run/php/
|
||||
BindPaths=/var/lib/php/sessions
|
||||
BindPaths=/var/local/squirrelmail/
|
||||
InaccessiblePaths=/root/
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
15
etc/systemd/system/postfix.service.d/custom.conf
Normal file
15
etc/systemd/system/postfix.service.d/custom.conf
Normal file
@ -0,0 +1,15 @@
|
||||
[Service]
|
||||
ProtectSystem=strict
|
||||
PrivateTmp=true
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
#PrivateUsers=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
SystemCallArchitectures=native
|
||||
BindPaths=/var/spool/
|
||||
BindPaths=/var/lib/postfix/
|
||||
InaccessiblePaths=/var/www/
|
||||
15
etc/systemd/system/postfix@.service.d/custom.conf
Normal file
15
etc/systemd/system/postfix@.service.d/custom.conf
Normal file
@ -0,0 +1,15 @@
|
||||
[Service]
|
||||
ProtectSystem=strict
|
||||
PrivateTmp=true
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
#PrivateUsers=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
SystemCallArchitectures=native
|
||||
BindPaths=/var/spool/
|
||||
BindPaths=/var/lib/
|
||||
InaccessiblePaths=/var/www/
|
||||
13
etc/systemd/system/vsftpd.service.d/custom.conf
Normal file
13
etc/systemd/system/vsftpd.service.d/custom.conf
Normal file
@ -0,0 +1,13 @@
|
||||
[Service]
|
||||
ProtectSystem=strict
|
||||
PrivateTmp=true
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
SystemCallArchitectures=native
|
||||
InaccessiblePaths=/var/www/
|
||||
InaccessiblePaths=/root/
|
||||
Reference in New Issue
Block a user