[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNUnet-developers] service files
|
From: |
Schanzenbach, Martin |
|
Subject: |
Re: [GNUnet-developers] service files |
|
Date: |
Thu, 7 Mar 2019 16:48:19 +0100 |
Hi,
> On 7. Mar 2019, at 15:28, address@hidden wrote:
>
> I just learned about a couple more specific systemd settings.
> The ones I think which could be useful to extend our systemd
> example service with are below.
>
>> PrivateTmp:
>> Use private /tmp and /var/tmp folders inside a new file system namespace,
>> which are discarded after the process stops.
GNUnet has lots of things that need persistance. Like cryptographic keys.
>
>> ProtectHome:
>> The /home, /root, and /run/user folders can not be accessed by this service
>> anymore. If your Pleroma user has its home folder in one of the restricted
>> places, or use one of these folders as its working directory, you have to
>> set this to false.
>
See above. /home/<user>/.config/gnunet et al.
>> ProtectSystem:
>> Mount /usr, /boot, and /etc as read-only for processes invoked by this
>> service.
>
This might be interesting wrt hardening? Idk.
>
> Do you think this is okay for a good user experience, or should
> this be a separate example file?
>
> _______________________________________________
> GNUnet-developers mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/gnunet-developers
signature.asc
Description: Message signed with OpenPGP