mirror of
https://github.com/SuperBFG7/ympd
synced 2025-08-30 01:07:58 +00:00
Harden ympd.service
This offers a measure of protection against potential ympd vulnerabilities. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for documentation.
This commit is contained in:
Clément Pit-Claudel
committed by
GitHub
GitHub
parent
612f8fc0b2
commit
0917b467e8
@@ -3,6 +3,26 @@ Description=ympd server daemon
|
||||
Requires=network.target local-fs.target
|
||||
|
||||
[Service]
|
||||
User=ympd
|
||||
DynamicUser=yes
|
||||
MountAPIVFS=yes
|
||||
RemoveIPC=yes
|
||||
CapabilityBoundingSet=
|
||||
LockPersonality=yes
|
||||
PrivateUsers=yes
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
ProtectSystem=strict
|
||||
NoNewPrivileges=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictNamespaces=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=yes
|
||||
|
||||
Environment=MPD_HOST=localhost
|
||||
Environment=MPD_PORT=6600
|
||||
Environment=MPD_PASSWORD=
|
||||
|
||||
Reference in New Issue
Block a user