Harden the systemd unit

Restrict capabilities, have a private tmp directory, private /dev, and don't accessing file system locations that really shouldn't be accessed.
author: Craig Andrews <candrews@integralblue.com> 2016-06-28 17:02:41 -0400
committer: GitHub <noreply@github.com> 2016-06-28 17:02:41 -0400
commit: 2e28d06744ae0bd2bc5807becc17931520e15b2e (patch)
tree: 963f37fa7a92e7eaa97611699db8174693c7802b /ejabberd.service.template
parent: Include correct version in stream:stream when reporting errors (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/ejabberd.service.template b/ejabberd.service.template
index 80b15adbd..49ba14737 100644
--- a/ejabberd.service.template
+++ b/ejabberd.service.template
@@ -12,6 +12,13 @@ ExecStop=@ctlscriptpath@/ejabberdctl stop
 ExecReload=@ctlscriptpath@/ejabberdctl reload_config
 Type=oneshot
 RemainAfterExit=yes
+# The CAP_DAC_OVERRIDE capability is required for pam authentication to work
+CapabilityBoundingSet=CAP_DAC_OVERRIDE
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+NoNewPrivileges=true
 
 [Install]
 WantedBy=multi-user.target
author	Craig Andrews <candrews@integralblue.com>	2016-06-28 17:02:41 -0400
committer	GitHub <noreply@github.com>	2016-06-28 17:02:41 -0400
commit	2e28d06744ae0bd2bc5807becc17931520e15b2e (patch)
tree	963f37fa7a92e7eaa97611699db8174693c7802b /ejabberd.service.template
parent	Include correct version in stream:stream when reporting errors (diff)