You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The example systemd service file is not particularly secure. It would be useful to have a more elaborate example and directions on how to further secure it (i.e. systemd-analyze security) :
[Unit]Description=Warpgate
After=network.target
StartLimitIntervalSec=0
[Service]ProtectSystem=strict
PrivateTmp=true
PrivateUsers=True
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectProc=noaccess
ProtectHostname=true
MemoryDenyWriteExecute=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX # AF_UNIX is needed by sd_notifyLockPersonality=true
ProtectClock=true
NoNewPrivileges=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
CapabilityBoundingSet=
# You may want to modify the following to fit your environment.ReadWritePaths=/opt/warpgate
ExecPaths=/usr/local/bin/warpgate
SocketBindAllow=ipv4:8888
SocketBindAllow=ipv4:8888
SocketBindDeny=any
User=warpgate
Type=notify
UMask=0027
Restart=always
RestartSec=5
ExecStart=/usr/local/bin/warpgate --config /opt/warpgate/config.yaml run
[Install]WantedBy=multi-user.target
The above results in a systemd-analyze security score of 2.9 OK.
The text was updated successfully, but these errors were encountered:
Hello,
The example systemd service file is not particularly secure. It would be useful to have a more elaborate example and directions on how to further secure it (i.e.
systemd-analyze security) :The above results in a
systemd-analyze securityscore of 2.9 OK.The text was updated successfully, but these errors were encountered: