systemd.unit: reworked `acmed.service`

acmed.service: hardened sandbox systemd unit * comments the logical units * update working directory (ACMEd needs write access) * update runtime directory (write/update the pid-file) * reduce privileges for filesystem and kernel-space Signed-off-by: Ralf Zerres <ralf.zerres@networkx.de>
5 years ago · 849b24b261
2 changed files with 38 additions and 29 deletions
--- a/contrib/acmed.service
+++ b/contrib/acmed.service
@ -0,0 +1,38 @@
+[Unit]
+Description=ACME client daemon
+After=network.target
+
+[Service]
+User=acmed
+Group=acmed
+
+# Working directory (acmed home path)
+WorkingDirectory=/var/lib/acmed
+RuntimeDirectory=acmed
+
+# daemon handling: start, stop, timeouts
+#ExecStart=/usr/bin/acmed --foreground --pid-file /run/acmed/acmed.pid --log-level trace --log-stderr
+ExecStart=/usr/bin/acmed --foreground --pid-file /run/acmed/acmed.pid --log-level warn
+TimeoutStartSec=3
+TimeoutStopSec=5
+Restart=on-failure
+KillSignal=SIGINT
+
+# Sandboxing: reduce privileges on filesystem and kernel-space
+# restrict write access to acmed's directories with variable data
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
+ProtectHostname=yes
+ProtectKernelTunables=yes
+ProtectKernelLogs=yes
+ProtectSystem=strict
+ReadWritePaths=/etc/acmed /var/lib/acmed
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target
--- a/contrib/acmed.service.example
+++ b/contrib/acmed.service.example
@ -1,29 +0,0 @@
-# systemd example unit file. Please adjust.
-
-[Unit]
-Description=ACME client daemon
-After=network.target
-
-[Service]
-User=acmed
-Group=acmed
-
-# Working directory
-WorkingDirectory=/etc/acmed
-
-# Starting, stopping, timeouts
-ExecStart=/usr/local/bin/acmed --foreground --pid-file /etc/acmed/acmed.pid --log-level debug --log-stderr
-TimeoutStartSec=3
-TimeoutStopSec=5
-Restart=on-failure
-KillSignal=SIGINT
-
-# Sandboxing, reduce privileges, only allow write access to working directory
-NoNewPrivileges=yes
-PrivateTmp=yes
-PrivateUsers=yes
-ProtectSystem=strict
-ReadWritePaths=/etc/acmed/
-
-[Install]
-WantedBy=multi-user.target