mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2025-04-03 00:07:05 +00:00
add additional protections to the management daemon's runtime environment
This commit is contained in:
parent
5e1dcc933f
commit
603b716ac2
@ -5,6 +5,16 @@ After=multi-user.target
|
||||
[Service]
|
||||
Type=idle
|
||||
IgnoreSIGPIPE=False
|
||||
ProtectSystem=yes
|
||||
ProtectHome=read-only
|
||||
ReadWritePaths=STORAGE_ROOT
|
||||
PrivateDevices=yes
|
||||
PrivateNetwork=no
|
||||
ProtectClock=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelLogs=yes
|
||||
SyslogIdentifier=mailinabox
|
||||
ExecStart=/usr/local/lib/mailinabox/start
|
||||
|
||||
[Install]
|
||||
|
@ -109,6 +109,7 @@ exec gunicorn -b localhost:10222 -w 1 wsgi:app
|
||||
EOF
|
||||
chmod +x $inst_dir/start
|
||||
cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first
|
||||
sed -i "s|STORAGE_ROOT|$STORAGE_ROOT|g" /lib/systemd/system/mailinabox.service
|
||||
hide_output systemctl link -f /lib/systemd/system/mailinabox.service
|
||||
hide_output systemctl daemon-reload
|
||||
hide_output systemctl enable mailinabox.service
|
||||
|
Loading…
Reference in New Issue
Block a user