From 7cb1b69744313532e0d3a1c6de59ecdf88349cf3 Mon Sep 17 00:00:00 2001 From: Balakrishnan Balasubramanian Date: Sat, 24 Jun 2023 21:17:47 -0400 Subject: [PATCH] more systemd hardening --- deploy_configs/mail4one.service | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/deploy_configs/mail4one.service b/deploy_configs/mail4one.service index 10bb51e..9401a71 100644 --- a/deploy_configs/mail4one.service +++ b/deploy_configs/mail4one.service @@ -9,19 +9,20 @@ Requires=network-online.target [Service] User=mail4one ExecStart=/usr/local/bin/mail4one --config /etc/mail4one/config.json + AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +NoNewPrivileges=yes StateDirectory=mail4one/certs mail4one/mails StateDirectoryMode=0750 -UMask= LogsDirectory=mail4one WorkingDirectory=/var/lib/mail4one ProtectSystem=strict PrivateTmp=true -PrivateUsers=true ProtectHome=yes -NoNewPrivileges=yes +ProtectProc=invisible [Install] WantedBy=multi-user.target