From e9c4b798d5c851083fce38fb19b8ff1f65bb53cc Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Sat, 11 Jan 2020 13:33:34 +0100 Subject: [PATCH] Update php systemd service files --- etc/systemd/system/php7.2-fpm@.service | 3 +-- etc/systemd/system/php7.2-fpm@default.service | 3 ++- etc/systemd/system/php7.3-fpm.service | 1 - etc/systemd/system/php7.3-fpm@.service | 3 +-- etc/systemd/system/php7.3-fpm@default.service | 3 ++- etc/systemd/system/php7.4-fpm@.service | 3 +-- etc/systemd/system/php7.4-fpm@default.service | 3 ++- 7 files changed, 9 insertions(+), 10 deletions(-) diff --git a/etc/systemd/system/php7.2-fpm@.service b/etc/systemd/system/php7.2-fpm@.service index fd2245a..eec58da 100644 --- a/etc/systemd/system/php7.2-fpm@.service +++ b/etc/systemd/system/php7.2-fpm@.service @@ -14,8 +14,7 @@ LimitNOFILE=100000 TimeoutStartSec=300 ProtectSystem=strict PrivateTmp=true -# sendmail requires it... enable once chrooted -#NoNewPrivileges=true +NoNewPrivileges=true PrivateDevices=true ProtectKernelTunables=true ProtectKernelModules=true diff --git a/etc/systemd/system/php7.2-fpm@default.service b/etc/systemd/system/php7.2-fpm@default.service index 93feefb..ac55a13 100644 --- a/etc/systemd/system/php7.2-fpm@default.service +++ b/etc/systemd/system/php7.2-fpm@default.service @@ -14,7 +14,7 @@ LimitNOFILE=100000 TimeoutStartSec=300 ProtectSystem=strict PrivateTmp=true -# sendmail requires it... enable once chrooted +# sendmail requires it... #NoNewPrivileges=true PrivateDevices=true ProtectKernelTunables=true @@ -27,6 +27,7 @@ ReadWritePaths=-/var/run/ ReadWritePaths=-/run/ ReadWritePaths=-/var/local/squirrelmail/ ReadWritePaths=-/var/www/ +ReadWritePaths=-/var/spool/postfix/ InaccessiblePaths=-/root/ CPUQuota=100% MemoryHigh=25% diff --git a/etc/systemd/system/php7.3-fpm.service b/etc/systemd/system/php7.3-fpm.service index 6923625..3a5f376 100644 --- a/etc/systemd/system/php7.3-fpm.service +++ b/etc/systemd/system/php7.3-fpm.service @@ -11,7 +11,6 @@ Type=oneshot RemainAfterExit=yes ExecStart=/bin/true ExecReload=/bin/true -RuntimeDirectoryPreserve=yes [Install] WantedBy=multi-user.target diff --git a/etc/systemd/system/php7.3-fpm@.service b/etc/systemd/system/php7.3-fpm@.service index 7d1d91b..4493690 100644 --- a/etc/systemd/system/php7.3-fpm@.service +++ b/etc/systemd/system/php7.3-fpm@.service @@ -14,8 +14,7 @@ LimitNOFILE=100000 TimeoutStartSec=300 ProtectSystem=strict PrivateTmp=true -# sendmail requires it... enable once chrooted -#NoNewPrivileges=true +NoNewPrivileges=true PrivateDevices=true ProtectKernelTunables=true ProtectKernelModules=true diff --git a/etc/systemd/system/php7.3-fpm@default.service b/etc/systemd/system/php7.3-fpm@default.service index 5d5c048..e0f5cb0 100644 --- a/etc/systemd/system/php7.3-fpm@default.service +++ b/etc/systemd/system/php7.3-fpm@default.service @@ -14,7 +14,7 @@ LimitNOFILE=100000 TimeoutStartSec=300 ProtectSystem=strict PrivateTmp=true -# sendmail requires it... enable once chrooted +# sendmail requires it... #NoNewPrivileges=true PrivateDevices=true ProtectKernelTunables=true @@ -27,6 +27,7 @@ ReadWritePaths=-/var/run/ ReadWritePaths=-/run/ ReadWritePaths=-/var/local/squirrelmail/ ReadWritePaths=-/var/www/ +ReadWritePaths=-/var/spool/postfix/ InaccessiblePaths=-/root/ CPUQuota=100% MemoryHigh=25% diff --git a/etc/systemd/system/php7.4-fpm@.service b/etc/systemd/system/php7.4-fpm@.service index 3432a1a..a689e58 100644 --- a/etc/systemd/system/php7.4-fpm@.service +++ b/etc/systemd/system/php7.4-fpm@.service @@ -14,8 +14,7 @@ LimitNOFILE=100000 TimeoutStartSec=300 ProtectSystem=strict PrivateTmp=true -# sendmail requires it... enable once chrooted -#NoNewPrivileges=true +NoNewPrivileges=true PrivateDevices=true ProtectKernelTunables=true ProtectKernelModules=true diff --git a/etc/systemd/system/php7.4-fpm@default.service b/etc/systemd/system/php7.4-fpm@default.service index 1dd9cfe..1e4fff7 100644 --- a/etc/systemd/system/php7.4-fpm@default.service +++ b/etc/systemd/system/php7.4-fpm@default.service @@ -14,7 +14,7 @@ LimitNOFILE=100000 TimeoutStartSec=300 ProtectSystem=strict PrivateTmp=true -# sendmail requires it... enable once chrooted +# sendmail requires it... #NoNewPrivileges=true PrivateDevices=true ProtectKernelTunables=true @@ -27,6 +27,7 @@ ReadWritePaths=-/var/run/ ReadWritePaths=-/run/ ReadWritePaths=-/var/local/squirrelmail/ ReadWritePaths=-/var/www/ +ReadWritePaths=-/var/spool/postfix/ InaccessiblePaths=-/root/ CPUQuota=100% MemoryHigh=25%