systemd provides a number of service parameters which can be used to restrict icyci (and sub) process' access to filesystem / network / environment. I think it'd be very helpful to have a service file which sets some sensible defaults, preferably annotated with best practices and (permissions error) debugging tips.
systemd provides a number of service parameters which can be used to restrict icyci (and sub) process' access to filesystem / network / environment. I think it'd be very helpful to have a service file which sets some sensible defaults, preferably annotated with best practices and (permissions error) debugging tips.
https://nickb.dev/blog/writing-a-secure-systemd-service-with-sandboxing-and-dynamic-users/ appears to provide a pretty nice walk-through.