summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2021-01-23 23:02:10 +0100
committerChristian Grothoff <christian@grothoff.org>2021-01-23 23:02:10 +0100
commit69d29a79313316ee3a8342c8911effe2f7eb6d2a (patch)
treeb909a0c2e5713d7c823d42590ea739340bf49194
parent2bba834643b520ccedc8bfad780183242dc19fed (diff)
downloadexchange-69d29a79313316ee3a8342c8911effe2f7eb6d2a.tar.gz
exchange-69d29a79313316ee3a8342c8911effe2f7eb6d2a.tar.bz2
exchange-69d29a79313316ee3a8342c8911effe2f7eb6d2a.zip
apply a bit more systemd hardening
-rw-r--r--debian/taler-exchange.postinst26
1 files changed, 24 insertions, 2 deletions
diff --git a/debian/taler-exchange.postinst b/debian/taler-exchange.postinst
index 9bad800d7..26bf3de69 100644
--- a/debian/taler-exchange.postinst
+++ b/debian/taler-exchange.postinst
@@ -114,6 +114,9 @@ User=${_EUSERNAME}
Type=simple
Restart=on-failure
ExecStart=/usr/bin/taler-exchange-httpd -c /etc/taler-exchange.conf
+PrivateTmp=no
+PrivateDevices=yes
+ProtectSystem=full
[Install]
WantedBy=multi-user.target
@@ -129,9 +132,10 @@ User=${_RSECUSERNAME}
Type=simple
Restart=on-failure
ExecStart=/usr/bin/taler-exchange-secmod-rsa -c /etc/taler-exchange.conf
+PrivateTmp=no
+PrivateDevices=yes
+ProtectSystem=full
-[Install]
-WantedBy=multi-user.target
EOF
cat > "/etc/systemd/system/taler-exchange-secmod-eddsa.service" <<EOF
[Unit]
@@ -143,6 +147,10 @@ User=${_ESECUSERNAME}
Type=simple
Restart=on-failure
ExecStart=/usr/bin/taler-exchange-secmod-eddsa -c /etc/taler-exchange.conf
+PrivateTmp=no
+PrivateDevices=yes
+ProtectSystem=full
+
EOF
cat > "/etc/systemd/system/taler-exchange-wirewatch.service" <<EOF
[Unit]
@@ -155,6 +163,11 @@ User=${_WIREUSERNAME}
Type=simple
Restart=on-failure
ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler-wire.conf
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+
+
EOF
cat > "/etc/systemd/system/taler-exchange-transfer.service" <<EOF
[Unit]
@@ -167,6 +180,10 @@ User=${_WIREUSERNAME}
Type=simple
Restart=on-failure
ExecStart=/usr/bin/taler-exchange-wirewatch -c /etc/taler-wire.conf
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+
EOF
cat > "/etc/systemd/system/taler-exchange-aggregator.service" <<EOF
[Unit]
@@ -178,6 +195,11 @@ User=${_AGGRUSERNAME}
Type=simple
Restart=on-failure
ExecStart=/usr/bin/taler-exchange-aggregator -c /etc/taler.conf
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+
+
EOF
cp -f "${CONFIG_NEW}" "${CONFIG_FILE}"