diff --git a/conf/systemd.service b/conf/systemd.service index 3634cb4..9fd8a34 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -16,21 +16,35 @@ StandardError=syslog SyslogIdentifier=__APP__ Restart=always -; Some security directives (inspired from peertube_ynh package) -; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed ProtectSystem=full -; Sets up a new /dev mount for the process and only adds API pseudo devices -; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled -; by default because it may not work on devices like the Raspberry Pi. -PrivateDevices=false -; Ensures that the service process and all its children can never gain new -; privileges through execve(). -NoNewPrivileges=true -; This makes /home, /root, and /run/user inaccessible and empty for processes invoked -; by this unit. Make sure that you do not depend on data inside these folders. -ProtectHome=false -; Drops the sys admin capability from the daemon. -CapabilityBoundingSet=~CAP_SYS_ADMIN +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] WantedBy=multi-user.target diff --git a/scripts/restore b/scripts/restore index 7943d12..45d802f 100755 --- a/scripts/restore +++ b/scripts/restore @@ -38,8 +38,6 @@ port=$(ynh_app_setting_get --app=$app --key=port) #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=2 -ynh_webpath_available --domain=$domain --path_url=$path_url \ - || ynh_die --message="Path not available: ${domain}${path_url}" test ! -d $final_path \ || ynh_die --message="There is already a directory: $final_path "