Skip to content

Commit

Permalink
Add some unit file proteciton directives
Browse files Browse the repository at this point in the history
This will improve the security stance of gssproxy on systems that use
systemd.

Signed-off-by: Simo Sorce <simo@redhat.com>
  • Loading branch information
simo5 committed Jun 9, 2022
1 parent f9a187e commit 05140b3
Showing 1 changed file with 17 additions and 0 deletions.
17 changes: 17 additions & 0 deletions systemd/gssproxy.service.in
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,22 @@ Type=forking
PIDFile=/run/gssproxy.pid
ExecReload=/bin/kill -HUP $MAINPID

ProtectSystem=full
ProtectClock=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# NoNewPrivileges: when true breaks the ability to open a socket
# under /var/lib/gssproxy so no NoNewPrivileges
# PrivateTmp: can't be used as it hides ccaches stored in /tmp
# ProtectHome: blocks access to /home which may hold ccaches
# ProtectHostname: blocks propagation of hostname on change
# but in some cases, when using a keytab, we may want to see hostname
# changes as the server will want to respond only for the system name
# ProtectKernelTunables: blocks ability to write to proc.
# on startup gssproxy needs to write in proc to let nfsd know it can
# use the "new" gssproxy method instead of the old rpc stuff.


[Install]
WantedBy=multi-user.target

0 comments on commit 05140b3

Please sign in to comment.