-
Notifications
You must be signed in to change notification settings - Fork 333
55 lines (49 loc) · 2.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#
# [email protected] - pump.io systemd service file
#
# Copyright 2016, 2017 AJ Jordan <[email protected]>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This file is deliberately set up to provide an extremely restricted environment for pump.io.
# It is strongly recommended that you keep all security options enabled - there is no good reason to disable them and doing so will make things much easier for an attacker in the event of a compromise.
# See also the notes below about PrivateTmp to further increase security.
[Unit]
Description=Pump.io - stream server that does most of what people really want from a social network
Documentation=https://pumpio.readthedocs.io/en/latest/
After=syslog.target network.target %i.service
Requires=%i.service
[Service]
Type=simple
ExecStart=/usr/bin/pump
Environment=NODE_ENV=production
# Security restrictions
# We can't do a whitelist-based {Inaccessible,ReadOnly,ReadWrite}Paths setup because it muddles execute perms
# Instead, we blacklist what we almost for sure don't need. This is obviously much worse, but what're you gonna do?
InaccessiblePaths=/boot
ReadOnlyPaths=/dev
InaccessiblePaths=/mnt
ReadOnlyPaths=/proc
InaccessiblePaths=/sys
NoNewPrivileges=true
ProtectSystem=full
ProtectHome=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelModules=true
PrivateDevices=true
RestrictRealtime=true
# Disabled because it may be unexpected if admins go looking for pump.io files in /tmp and find none.
# It's recommended to override this, perhaps with an overlay fragment in /etc, if you're sure you'll remember.
#PrivateTmp=true
[Install]
WantedBy=multi-user.target