Safer systemd service file

[gvalkov]

Hello,

The example systemd service file is not particularly secure. It would be useful to have a more elaborate example and directions on how to further secure it (i.e. systemd-analyze security) :

[Unit]
Description=Warpgate
After=network.target
StartLimitIntervalSec=0

[Service]
ProtectSystem=strict
PrivateTmp=true
PrivateUsers=True
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectProc=noaccess
ProtectHostname=true
MemoryDenyWriteExecute=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX  # AF_UNIX is needed by sd_notify
LockPersonality=true
ProtectClock=true
NoNewPrivileges=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
CapabilityBoundingSet=

# You may want to modify the following to fit your environment.
ReadWritePaths=/opt/warpgate 
ExecPaths=/usr/local/bin/warpgate
SocketBindAllow=ipv4:8888
SocketBindAllow=ipv4:8888
SocketBindDeny=any
User=warpgate

Type=notify
UMask=0027
Restart=always
RestartSec=5
ExecStart=/usr/local/bin/warpgate --config /opt/warpgate/config.yaml run

[Install]
WantedBy=multi-user.target

The above results in a systemd-analyze security score of 2.9 OK.

[krishardy]

Fantastic. I created an issue that I intend to work on to improve the docs. This will be added to it.

#1302