Open cpitclaudel opened 5 years ago
See also: https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04, https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#unit-configuration, and https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing:
The following sandboxing options are an effective way to limit the exposure of the system towards the unit's processes. It is recommended to turn on as many of these options for each unit as is possible without negatively affecting the process' ability to operate
When I add these, ympd fails to start for me, since it cannot change the user (drop priviledges).
Are you setting up ympd.service as a user service?
No, but I figured it out in the meantime: the user name has (of course) to be the same as in /etc/defaults/ympd for $YMPD_USER which in my case was mpd
Ah, it makes sense then :)
I'd also remove the --user $YMPD_USER
argument in this PR, since it will/can clash with the DynamicUser=yes
/User=ympd
, and is unnecessary.
Great work otherwise. Should it be merged already? :)
This offers a measure of protection against potential ympd vulnerabilities. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for documentation.