1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2025-04-03 00:07:05 +00:00

add additional protections to the management daemon's runtime environment

This commit is contained in:
downtownallday 2022-09-18 15:43:10 -04:00
parent 5e1dcc933f
commit 603b716ac2
2 changed files with 11 additions and 0 deletions

View File

@ -5,6 +5,16 @@ After=multi-user.target
[Service]
Type=idle
IgnoreSIGPIPE=False
ProtectSystem=yes
ProtectHome=read-only
ReadWritePaths=STORAGE_ROOT
PrivateDevices=yes
PrivateNetwork=no
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
SyslogIdentifier=mailinabox
ExecStart=/usr/local/lib/mailinabox/start
[Install]

View File

@ -109,6 +109,7 @@ exec gunicorn -b localhost:10222 -w 1 wsgi:app
EOF
chmod +x $inst_dir/start
cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first
sed -i "s|STORAGE_ROOT|$STORAGE_ROOT|g" /lib/systemd/system/mailinabox.service
hide_output systemctl link -f /lib/systemd/system/mailinabox.service
hide_output systemctl daemon-reload
hide_output systemctl enable mailinabox.service