Browse Source

systemd.unit: reworked `acmed.service`

acmed.service: hardened sandbox systemd unit
  * comments the logical units
  * update working directory (ACMEd needs write access)
  * update runtime directory (write/update the pid-file)
  * reduce privileges for filesystem and kernel-space

Signed-off-by: Ralf Zerres <ralf.zerres@networkx.de>
pull/51/head
Ralf Zerres 4 years ago
parent
commit
849b24b261
No known key found for this signature in database GPG Key ID: D17312FD44A71C23
  1. 38
      contrib/acmed.service
  2. 29
      contrib/acmed.service.example

38
contrib/acmed.service

@ -0,0 +1,38 @@
[Unit]
Description=ACME client daemon
After=network.target
[Service]
User=acmed
Group=acmed
# Working directory (acmed home path)
WorkingDirectory=/var/lib/acmed
RuntimeDirectory=acmed
# daemon handling: start, stop, timeouts
#ExecStart=/usr/bin/acmed --foreground --pid-file /run/acmed/acmed.pid --log-level trace --log-stderr
ExecStart=/usr/bin/acmed --foreground --pid-file /run/acmed/acmed.pid --log-level warn
TimeoutStartSec=3
TimeoutStopSec=5
Restart=on-failure
KillSignal=SIGINT
# Sandboxing: reduce privileges on filesystem and kernel-space
# restrict write access to acmed's directories with variable data
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectHostname=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict
ReadWritePaths=/etc/acmed /var/lib/acmed
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallFilter=@system-service
[Install]
WantedBy=multi-user.target

29
contrib/acmed.service.example

@ -1,29 +0,0 @@
# systemd example unit file. Please adjust.
[Unit]
Description=ACME client daemon
After=network.target
[Service]
User=acmed
Group=acmed
# Working directory
WorkingDirectory=/etc/acmed
# Starting, stopping, timeouts
ExecStart=/usr/local/bin/acmed --foreground --pid-file /etc/acmed/acmed.pid --log-level debug --log-stderr
TimeoutStartSec=3
TimeoutStopSec=5
Restart=on-failure
KillSignal=SIGINT
# Sandboxing, reduce privileges, only allow write access to working directory
NoNewPrivileges=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectSystem=strict
ReadWritePaths=/etc/acmed/
[Install]
WantedBy=multi-user.target
Loading…
Cancel
Save