diff options
author | Craig Andrews <candrews@integralblue.com> | 2016-06-28 17:02:41 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-06-28 17:02:41 -0400 |
commit | 2e28d06744ae0bd2bc5807becc17931520e15b2e (patch) | |
tree | 963f37fa7a92e7eaa97611699db8174693c7802b | |
parent | Include correct version in stream:stream when reporting errors (diff) |
Harden the systemd unit
Restrict capabilities, have a private tmp directory, private /dev, and don't accessing file system locations that really shouldn't be accessed.
-rw-r--r-- | ejabberd.service.template | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/ejabberd.service.template b/ejabberd.service.template index 80b15adbd..49ba14737 100644 --- a/ejabberd.service.template +++ b/ejabberd.service.template @@ -12,6 +12,13 @@ ExecStop=@ctlscriptpath@/ejabberdctl stop ExecReload=@ctlscriptpath@/ejabberdctl reload_config Type=oneshot RemainAfterExit=yes +# The CAP_DAC_OVERRIDE capability is required for pam authentication to work +CapabilityBoundingSet=CAP_DAC_OVERRIDE +PrivateTmp=true +PrivateDevices=true +ProtectHome=true +ProtectSystem=full +NoNewPrivileges=true [Install] WantedBy=multi-user.target |