diff options
| author | Markus Richter | 2020-04-29 16:51:29 +0200 |
|---|---|---|
| committer | Markus Richter | 2020-04-29 17:02:27 +0200 |
| commit | 0ec97fa308d6045e680db4e0209ad46b56fe523a (patch) | |
| tree | b8db1e5824c5601b36ed1fa14d8596383233c20d /bitwarden_rs.service | |
| parent | 9f3d7cfda49d50c3fc86fa6de7d6983e97a79094 (diff) | |
| download | aur-0ec97fa308d6045e680db4e0209ad46b56fe523a.tar.gz | |
Tell bitwarden_rs its version, harden service more
Diffstat (limited to 'bitwarden_rs.service')
| -rw-r--r-- | bitwarden_rs.service | 39 |
1 files changed, 31 insertions, 8 deletions
diff --git a/bitwarden_rs.service b/bitwarden_rs.service index c8263ff33640..1786588d31cb 100644 --- a/bitwarden_rs.service +++ b/bitwarden_rs.service @@ -7,38 +7,61 @@ After=network.target # The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group User=bitwarden_rs Group=bitwarden_rs + # The location of the .env file for configuration EnvironmentFile=/etc/bitwarden_rs.env + # The location of the compiled binary ExecStart=/usr/bin/bitwarden_rs + # Set reasonable connection and process limits LimitNOFILE=1048576 LimitNPROC=64 +# Only allow writes to the following directory and set it to the working directory (user and password data are stored here) +WorkingDirectory=/var/lib/bitwarden_rs +ReadWritePaths=/var/lib/bitwarden_rs + # Prevent bitwarden_rs from doing anything stupid and/or unneccessary. -PrivateTmp=true -PrivateDevices=true +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes + +PrivateTmp=yes +PrivateDevices=yes -ProtectHome=true +ProtectHome=yes ProtectSystem=strict ProtectKernelTunables=yes ProtectKernelModules=yes +ProtectKernelLogs=yes ProtectControlGroups=yes +ProtectHostname=yes +ProtectClock=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes + +RemoveIPC=yes +UMask=0077 SystemCallArchitectures=native SystemCallFilter=@system-service -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 - -# Only allow writes to the following directory and set it to the working directory (user and password data are stored here) -WorkingDirectory=/var/lib/bitwarden_rs -ReadWriteDirectories=/var/lib/bitwarden_rs +SystemCallFilter=~@resources +SystemCallFilter=~@privileged # Allow bitwarden_rs to bind ports in the range of 0-1024 AmbientCapabilities=CAP_NET_BIND_SERVICE # Restrict bitwarden_rs to only this capability CapabilityBoundingSet=CAP_NET_BIND_SERVICE +# If bitwarden_rs is run at ports >1024, you can enable (remove the leading '#' of) +# the following lines: +#PrivateUsers=yes +#CapabilityBoundingSet= +#AmbientCapabilities= + [Install] WantedBy=multi-user.target |