From 0917b467e8842b745367ee109c7a6e3388b339c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Pit-Claudel?=
 <cpitclaudel@users.noreply.github.com>
Date: Sun, 10 Mar 2019 16:43:39 +0000
Subject: [PATCH 1/3] Harden ympd.service

This offers a measure of protection against potential ympd vulnerabilities.  See
https://www.freedesktop.org/software/systemd/man/systemd.exec.html for
documentation.
---
 contrib/ympd.service | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/contrib/ympd.service b/contrib/ympd.service
index 49559c7..c3a33f9 100644
--- a/contrib/ympd.service
+++ b/contrib/ympd.service
@@ -3,6 +3,26 @@ Description=ympd server daemon
 Requires=network.target local-fs.target
 
 [Service]
+User=ympd
+DynamicUser=yes
+MountAPIVFS=yes
+RemoveIPC=yes
+CapabilityBoundingSet=
+LockPersonality=yes
+PrivateUsers=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+NoNewPrivileges=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+
 Environment=MPD_HOST=localhost
 Environment=MPD_PORT=6600
 Environment=MPD_PASSWORD=

From aeceb9155122d17caf17804789df255f33aa94b1 Mon Sep 17 00:00:00 2001
From: SuperBFG7 <daniel@despite.ch>
Date: Mon, 22 Apr 2019 11:47:22 +0200
Subject: [PATCH 2/3] moved definition of default user to service file

---
 contrib/ympd.default | 1 -
 contrib/ympd.service | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/contrib/ympd.default b/contrib/ympd.default
index cb3ca72..d97ac73 100644
--- a/contrib/ympd.default
+++ b/contrib/ympd.default
@@ -2,5 +2,4 @@ MPD_HOST=localhost
 MPD_PORT=6600
 MPD_PASSWORD=
 WEB_PORT=8080
-YMPD_USER=nobody
 DIRBLE_API_TOKEN=2e223c9909593b94fc6577361a
diff --git a/contrib/ympd.service b/contrib/ympd.service
index c3a33f9..786d47e 100644
--- a/contrib/ympd.service
+++ b/contrib/ympd.service
@@ -3,7 +3,7 @@ Description=ympd server daemon
 Requires=network.target local-fs.target
 
 [Service]
-User=ympd
+User=nobody
 DynamicUser=yes
 MountAPIVFS=yes
 RemoveIPC=yes

From fff184dca227d566c557a5431fe48dc1db9f2531 Mon Sep 17 00:00:00 2001
From: SuperBFG7 <daniel@despite.ch>
Date: Mon, 22 Apr 2019 11:51:09 +0200
Subject: [PATCH 3/3] moved default user definition to service file

---
 contrib/ympd.service | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/ympd.service b/contrib/ympd.service
index 786d47e..cb1abdc 100644
--- a/contrib/ympd.service
+++ b/contrib/ympd.service
@@ -30,7 +30,7 @@ Environment=WEB_PORT=8080
 Environment=YMPD_USER=nobody
 Environment=DIRBLE_API_TOKEN=2e223c9909593b94fc6577361a
 EnvironmentFile=/etc/default/ympd
-ExecStart=/usr/bin/ympd --user $YMPD_USER --mpdpass "$MPD_PASSWORD" --webport $WEB_PORT --host $MPD_HOST --port $MPD_PORT --dirbletoken $DIRBLE_API_TOKEN
+ExecStart=/usr/bin/ympd --user $USER --mpdpass "$MPD_PASSWORD" --webport $WEB_PORT --host $MPD_HOST --port $MPD_PORT --dirbletoken $DIRBLE_API_TOKEN
 Type=simple
 
 [Install]