blob: 48c0977b14b7238a744744d3d39e05afe664821a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
[Unit]
Description=moshpits remote terminal server
Documentation=man:mps(1)
After=network.target
Wants=network.target
[Service]
Type=simple
User=root
Group=root
# Pass -c to read from /etc/moshpits/moshpits.toml instead of the default user
# config at ~/.config/moshpits/moshpits.toml. Remove the flag to use the default.
ExecStart=/usr/bin/mps -c /etc/moshpits/moshpits.toml
Restart=on-failure
RestartSec=5s
# Hardening (relaxed for multi-user root daemon)
NoNewPrivileges=false
#
# ProtectSystem= and PrivateTmp= are intentionally NOT set here.
# Both directives bind-mount paths read-only (or with a private overlay) in the
# daemon's mount namespace. Because spawned user shells are children of this
# daemon, they inherit that restricted namespace — making /usr, /etc, and /tmp
# appear read-only inside every moshpit session even when the user has sudo.
# A PTY-spawning daemon that provides SSH-like shell access cannot apply these
# forms of per-process filesystem sandboxing.
# Defense-in-depth: moshpits detects namespace restrictions at runtime and
# automatically joins the host mount namespace before spawning each shell
# (see namespace_escape in moshpits.toml, default: true).
#
ProtectHome=false
ReadWritePaths=/var/log/moshpits /etc/moshpits/keys
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
# Root daemons spawning shells need broad syscall access
# SystemCallFilter=@system-service is too restrictive for arbitrary user shells
[Install]
WantedBy=multi-user.target
|