Harden the systemd unit

author Craig Andrews <candrews@integralblue.com>

Tue, 28 Jun 2016 21:02:41 +0000 (17:02 -0400)

committer GitHub <noreply@github.com>

Tue, 28 Jun 2016 21:02:41 +0000 (17:02 -0400)
author Craig Andrews <candrews@integralblue.com>
Tue, 28 Jun 2016 21:02:41 +0000 (17:02 -0400)
committer GitHub <noreply@github.com>
Tue, 28 Jun 2016 21:02:41 +0000 (17:02 -0400)
diff --git a/ejabberd.service.template b/ejabberd.service.template

index 80b15adbdd6508e25cec39987a202ef1656d2096..49ba14737caa0ed4e597291fa2a9c7ca060bd809 100644 (file)
--- a/ejabberd.service.template
+++ b/ejabberd.service.template
@@ -12,6 +12,13 @@ ExecStop=@ctlscriptpath@/ejabberdctl stop
  ExecReload=@ctlscriptpath@/ejabberdctl reload_config
  Type=oneshot
  RemainAfterExit=yes
+# The CAP_DAC_OVERRIDE capability is required for pam authentication to work
+CapabilityBoundingSet=CAP_DAC_OVERRIDE
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+NoNewPrivileges=true
  
  [Install]
  WantedBy=multi-user.target
author	Craig Andrews <candrews@integralblue.com>
	Tue, 28 Jun 2016 21:02:41 +0000 (17:02 -0400)
committer	GitHub <noreply@github.com>
	Tue, 28 Jun 2016 21:02:41 +0000 (17:02 -0400)