improved security

author: surefire 2016-09-21 12:36:25 +0300
committer: surefire 2016-09-21 13:01:18 +0300
commit: 7dc92d3ff2e3e99e52785d372834ab801dd15308 (patch)
tree: 3e47a2f29d6e7c166116b2319d5718c01bb732f8
parent: 98cd24f39785006b38e666856f4259957578719b (diff)
download: aur-7dc92d3ff2e3e99e52785d372834ab801dd15308.tar.gz
4 files changed, 15 insertions, 7 deletions
diff --git a/.SRCINFO b/.SRCINFO
index fdea9e7404c7..86d0bd0a734f 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -21,8 +21,8 @@ pkgbase = acme-client-git
 	sha256sums = SKIP
 	sha256sums = 5f87d778e5d62822d60e38fa9621c1c5648fc559d198ba314bd9d89cbf67d9e3
 	sha256sums = c7d852229ae8a1b816ec476554c5d703a5513e6578a38672a52f7e7fca653b73
-	sha256sums = 2fbe99262986b4e4d84e659bc868e1e616c3b150190d50994f4184b1d606dc60
-	sha256sums = b441b83feda96286a932add31237abfccb9f7bed7d13a3c6d85886e6a62fcc8f
+	sha256sums = 8eec610434e438d3962abf2a0fe31fa6b91878b2e048f33a31d89aa9576061a9
+	sha256sums = 297cf2592b1baed8da591136334ab7fc1f4f64a6a093a1ac657ceaae45aa8583
 
 pkgname = acme-client-git
 
diff --git a/PKGBUILD b/PKGBUILD
index e9bfbf673808..705aa64eb5dd 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -20,8 +20,8 @@ source=(${pkgname}::'git+https://github.com/kristapsdz/acme-client-portable.git'
 sha256sums=('SKIP'
             '5f87d778e5d62822d60e38fa9621c1c5648fc559d198ba314bd9d89cbf67d9e3'
             'c7d852229ae8a1b816ec476554c5d703a5513e6578a38672a52f7e7fca653b73'
-            '2fbe99262986b4e4d84e659bc868e1e616c3b150190d50994f4184b1d606dc60'
-            'b441b83feda96286a932add31237abfccb9f7bed7d13a3c6d85886e6a62fcc8f')
+            '8eec610434e438d3962abf2a0fe31fa6b91878b2e048f33a31d89aa9576061a9'
+            '297cf2592b1baed8da591136334ab7fc1f4f64a6a093a1ac657ceaae45aa8583')
 
 depends=('libbsd')
 makedepends=('git')
diff --git a/acme@.service b/acme@.service
index b2f16e6ddbc9..cccfed95d390 100644
--- a/acme@.service
+++ b/acme@.service
@@ -26,3 +26,14 @@ EnvironmentFile=/etc/acme/%I.conf
 ExecStartPre=/usr/bin/install -dm0700 "${ACME_DIR}/certs/%I"
 
 ExecStart=/usr/bin/acme-client $ACME_ARGS -f "${ACME_DIR}/accounts/${ACME_ACCOUNT}.pem" -c "${ACME_DIR}/certs/%I" -k "${ACME_DIR}/certs/%I/privkey.pem" -C /run/acme-challenge $ACME_DOMAINS
+
+CapabilityBoundingSet=CAP_SYS_CHROOT CAP_SETUID CAP_SETGID
+NoNewPrivileges=true
+
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+
+ReadOnlyPaths=/
+ReadWritePaths=/var/lib/acme
+ReadWritePaths=/run/acme-challenge
diff --git a/example.conf b/example.conf
index 9ea17221ba09..19a70d125539 100644
--- a/example.conf
+++ b/example.conf
@@ -18,9 +18,6 @@
 # List domain names included in certificate separated by space. All domains should work and refer to this server.
 ACME_DOMAINS="example.com www.example.com"
 
-# Directory for acme accounts and certificates
-#ACME_DIR="/var/lib/acme"
-
 #ACME_ACCOUNT="letsencrypt"
 
 #ACME_ARGS="-vbnN"
author	surefire	2016-09-21 12:36:25 +0300
committer	surefire	2016-09-21 13:01:18 +0300
commit	7dc92d3ff2e3e99e52785d372834ab801dd15308 (patch)
tree	3e47a2f29d6e7c166116b2319d5718c01bb732f8
parent	98cd24f39785006b38e666856f4259957578719b (diff)
download	aur-7dc92d3ff2e3e99e52785d372834ab801dd15308.tar.gz