Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[wishlist] Please consider enabling systemd hardening features in provided service files #84

Open
sten0 opened this issue Aug 4, 2020 · 0 comments
Open

[wishlist] Please consider enabling systemd hardening features in provided service files #84

sten0 opened this issue Aug 4, 2020 · 0 comments
Labels
enhancement

Comments

@sten0
Copy link
Contributor

sten0 commented Aug 4, 2020

Please consider enabling systemd hardening features in provided service files. See http://0pointer.de/blog/projects/security.html and systemd.service(5) for available facilities. Examples of these are blocking network access, private /tmp directories, making directories read-only, or hiding directories.

Other then the premise of declaring minimal required dependencies, it seems like it might be useful to enforce best practises such as never defragmenting snapshots. eg: specify a list of directories that hold snapshots in the config file, and then block access and/or writes to them. Granted, I'm not convinced this is the best approach, and am merely providing it as an example.
sten0 added a commit to sten0/btrfsmaintenance that referenced this issue Aug 12, 2020
@sten0
Add doc key to btrfsmaintenance-refresh.service
9324568 
This enables `systemctl help servicename` to function correctly by
displaying the documentation associated with the service.

Closes kdave#84
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kdave @sten0