apply a bit more systemd hardening
This commit is contained in:
Christian Grothoff
parent
2bba834643
commit
69d29a7931
26
debian/taler-exchange.postinst
vendored
26
debian/taler-exchange.postinst
vendored
@ -114,6 +114,9 @@ User=${_EUSERNAME}
|
|||||||
Type=simple
|
Type=simple
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler-exchange.conf
|
ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler-exchange.conf
|
||||||
|
PrivateTmp=no
|
||||||
|
PrivateDevices=yes
|
||||||
|
ProtectSystem=full
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
@ -129,9 +132,10 @@ User=${_RSECUSERNAME}
|
|||||||
Type=simple
|
Type=simple
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler-exchange.conf
|
ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler-exchange.conf
|
||||||
|
PrivateTmp=no
|
||||||
|
PrivateDevices=yes
|
||||||
|
ProtectSystem=full
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
EOF
|
EOF
|
||||||
cat > "/etc/systemd/system/taler-exchange-secmod-eddsa.service" <<EOF
|
cat > "/etc/systemd/system/taler-exchange-secmod-eddsa.service" <<EOF
|
||||||
[Unit]
|
[Unit]
|
||||||
@ -143,6 +147,10 @@ User=${_ESECUSERNAME}
|
|||||||
Type=simple
|
Type=simple
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler-exchange.conf
|
ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler-exchange.conf
|
||||||
|
PrivateTmp=no
|
||||||
|
PrivateDevices=yes
|
||||||
|
ProtectSystem=full
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
cat > "/etc/systemd/system/taler-exchange-wirewatch.service" <<EOF
|
cat > "/etc/systemd/system/taler-exchange-wirewatch.service" <<EOF
|
||||||
[Unit]
|
[Unit]
|
||||||
@ -155,6 +163,11 @@ User=${_WIREUSERNAME}
|
|||||||
Type=simple
|
Type=simple
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler-wire.conf
|
ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler-wire.conf
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
ProtectSystem=full
|
||||||
|
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
cat > "/etc/systemd/system/taler-exchange-transfer.service" <<EOF
|
cat > "/etc/systemd/system/taler-exchange-transfer.service" <<EOF
|
||||||
[Unit]
|
[Unit]
|
||||||
@ -167,6 +180,10 @@ User=${_WIREUSERNAME}
|
|||||||
Type=simple
|
Type=simple
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler-wire.conf
|
ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler-wire.conf
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
ProtectSystem=full
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
cat > "/etc/systemd/system/taler-exchange-aggregator.service" <<EOF
|
cat > "/etc/systemd/system/taler-exchange-aggregator.service" <<EOF
|
||||||
[Unit]
|
[Unit]
|
||||||
@ -178,6 +195,11 @@ User=${_AGGRUSERNAME}
|
|||||||
Type=simple
|
Type=simple
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
ExecStart=/usr/bin/taler-exchange-aggregator -c /etc/taler.conf
|
ExecStart=/usr/bin/taler-exchange-aggregator -c /etc/taler.conf
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
ProtectSystem=full
|
||||||
|
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
cp -f "${CONFIG_NEW}" "${CONFIG_FILE}"
|
cp -f "${CONFIG_NEW}" "${CONFIG_FILE}"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user