Open svengo opened 7 years ago
Thank you for this great contribution! I'll add the service file to the next release.
Maybe the service file can be hardened? My Debian Jessie box (Bananian Linux) use no systemd by default. Therefore I cannot dive into it at the moment. But my snippet should be a good start. Capabilities and syscalls whitelist are still missing. Some directives may be only available on newer systemd versions.
[service]
ProtectSystem=full
ReadWriteDirectories=/var/log/theonionbox
CapabilityBoundingSet=???
SystemCallFilter=???
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
What do others think?
I managed to run The Onion Box as daemon with systemd (under Ubuntu 16.04) based on the wiki:
theonionbox
~theonionbox
andsudo chmod 755 ./theonionbox.py
~theonionbox/config/theonionbox.cfg
to your needssudo vi /etc/systemd/system/theonionbox.service
with the following content:sudo systemctl start theonionbox.service
sudo systemctl enable theonionbox.service