external/mailinabox
1
0
Fork 0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2025-04-04 00:17:06 +00:00
Code Issues Releases Wiki Activity

add additional protections to the management daemon's runtime environment

Browse Source
This commit is contained in:
downtownallday 2022-09-18 15:43:10 -04:00
parent 5e1dcc933f
commit 603b716ac2
2 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
conf/mailinabox.service
View File

@ -5,6 +5,16 @@ After=multi-user.target
[Service] [Service]
Type=idle Type=idle
IgnoreSIGPIPE=False IgnoreSIGPIPE=False
ProtectSystem=yes
ProtectHome=read-only
ReadWritePaths=STORAGE_ROOT
PrivateDevices=yes
PrivateNetwork=no
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
SyslogIdentifier=mailinabox
ExecStart=/usr/local/lib/mailinabox/start ExecStart=/usr/local/lib/mailinabox/start
[Install] [Install]

1
setup/management.sh
View File

@ -109,6 +109,7 @@ exec gunicorn -b localhost:10222 -w 1 wsgi:app
EOF EOF
chmod +x $inst_dir/start chmod +x $inst_dir/start
cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first
sed -i "s|STORAGE_ROOT|$STORAGE_ROOT|g" /lib/systemd/system/mailinabox.service
hide_output systemctl link -f /lib/systemd/system/mailinabox.service hide_output systemctl link -f /lib/systemd/system/mailinabox.service
hide_output systemctl daemon-reload hide_output systemctl daemon-reload
hide_output systemctl enable mailinabox.service hide_output systemctl enable mailinabox.service