From 849b24b26141e59b3bab82ca80ff082638c2219c Mon Sep 17 00:00:00 2001
From: Ralf Zerres <ralf.zerres@networkx.de>
Date: Wed, 28 Apr 2021 13:31:29 +0200
Subject: [PATCH] systemd.unit: reworked `acmed.service`

acmed.service: hardened sandbox systemd unit
  * comments the logical units
  * update working directory (ACMEd needs write access)
  * update runtime directory (write/update the pid-file)
  * reduce privileges for filesystem and kernel-space

Signed-off-by: Ralf Zerres <ralf.zerres@networkx.de>
---
 contrib/acmed.service         | 38 +++++++++++++++++++++++++++++++++++
 contrib/acmed.service.example | 29 --------------------------
 2 files changed, 38 insertions(+), 29 deletions(-)
 create mode 100644 contrib/acmed.service
 delete mode 100644 contrib/acmed.service.example

diff --git a/contrib/acmed.service b/contrib/acmed.service
new file mode 100644
index 0000000..26245ec
--- /dev/null
+++ b/contrib/acmed.service
@@ -0,0 +1,38 @@
+[Unit]
+Description=ACME client daemon
+After=network.target
+
+[Service]
+User=acmed
+Group=acmed
+
+# Working directory (acmed home path)
+WorkingDirectory=/var/lib/acmed
+RuntimeDirectory=acmed
+
+# daemon handling: start, stop, timeouts
+#ExecStart=/usr/bin/acmed --foreground --pid-file /run/acmed/acmed.pid --log-level trace --log-stderr
+ExecStart=/usr/bin/acmed --foreground --pid-file /run/acmed/acmed.pid --log-level warn
+TimeoutStartSec=3
+TimeoutStopSec=5
+Restart=on-failure
+KillSignal=SIGINT
+
+# Sandboxing: reduce privileges on filesystem and kernel-space
+# restrict write access to acmed's directories with variable data
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
+ProtectHostname=yes
+ProtectKernelTunables=yes
+ProtectKernelLogs=yes
+ProtectSystem=strict
+ReadWritePaths=/etc/acmed /var/lib/acmed
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target
diff --git a/contrib/acmed.service.example b/contrib/acmed.service.example
deleted file mode 100644
index 96c2bb9..0000000
--- a/contrib/acmed.service.example
+++ /dev/null
@@ -1,29 +0,0 @@
-# systemd example unit file. Please adjust.
-
-[Unit]
-Description=ACME client daemon
-After=network.target
-
-[Service]
-User=acmed
-Group=acmed
-
-# Working directory
-WorkingDirectory=/etc/acmed
-
-# Starting, stopping, timeouts
-ExecStart=/usr/local/bin/acmed --foreground --pid-file /etc/acmed/acmed.pid --log-level debug --log-stderr
-TimeoutStartSec=3
-TimeoutStopSec=5
-Restart=on-failure
-KillSignal=SIGINT
-
-# Sandboxing, reduce privileges, only allow write access to working directory
-NoNewPrivileges=yes
-PrivateTmp=yes
-PrivateUsers=yes
-ProtectSystem=strict
-ReadWritePaths=/etc/acmed/
-
-[Install]
-WantedBy=multi-user.target