Merge pull request #1178 from candrews/patch-1

Harden the systemd unit
author: Christophe Romain <cromain@users.noreply.github.com> 2016-07-29 11:33:32 +0200
committer: GitHub <noreply@github.com> 2016-07-29 11:33:32 +0200
commit: 3c58a93eb8651fe958ce12519437d0cc28abb662 (patch)
tree: e90e62663a76061a863ae333eaf34984e96e2fd7
parent: Switch workers from temporary to transient (diff)
parent: Harden the systemd unit (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/ejabberd.service.template b/ejabberd.service.template
index 80b15adbd..49ba14737 100644
--- a/ejabberd.service.template
+++ b/ejabberd.service.template
@@ -12,6 +12,13 @@ ExecStop=@ctlscriptpath@/ejabberdctl stop
 ExecReload=@ctlscriptpath@/ejabberdctl reload_config
 Type=oneshot
 RemainAfterExit=yes
+# The CAP_DAC_OVERRIDE capability is required for pam authentication to work
+CapabilityBoundingSet=CAP_DAC_OVERRIDE
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+NoNewPrivileges=true
 
 [Install]
 WantedBy=multi-user.target
author	Christophe Romain <cromain@users.noreply.github.com>	2016-07-29 11:33:32 +0200
committer	GitHub <noreply@github.com>	2016-07-29 11:33:32 +0200
commit	3c58a93eb8651fe958ce12519437d0cc28abb662 (patch)
tree	e90e62663a76061a863ae333eaf34984e96e2fd7
parent	Switch workers from temporary to transient (diff)
parent	Harden the systemd unit (diff)