The branch, master has been updated via 544b3d8b A few more systemd tweaks. from ce12142c Don't set systemd ProtectHome=on by default.
https://git.samba.org/?p=rsync.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 544b3d8b3b07279ba53ce4dcff656a7fc70156b8 Author: Wayne Davison <wa...@opencoder.net> Date: Wed Jul 1 11:36:00 2020 -0700 A few more systemd tweaks. ----------------------------------------------------------------------- Summary of changes: NEWS.md | 19 +++++++++++-------- packaging/systemd/rsync.service | 4 ++-- packaging/systemd/rsync@.service | 4 ++-- 3 files changed, 15 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/NEWS.md b/NEWS.md index e30d9903..14284729 100644 --- a/NEWS.md +++ b/NEWS.md @@ -40,9 +40,10 @@ Protocol: 31 (unchanged) variable. - The default systemd config was changed to remove the `ProtectHome=on` - setting since rsync is often used to serve files in /home and this seemed a - bit too strict. Feel free to use `systemctl edit rsync` to add that - restriction to your own setup, if you like. + setting since rsync is often used to serve files in /home and /root and this + seemed a bit too strict. Feel free to use `systemctl edit rsync` to add + that restriction (or maybe `ProtectHome=read-only`), if you like. See the + 3.2.0 NEWS for the other restrictions that were added compared to 3.1.3. - The memory allocation functions now automatically check for a failure and die when out of memory. This eliminated some caller-side check-and-die @@ -103,11 +104,6 @@ Protocol: 31 (unchanged) ### ENHANCEMENTS: - - The default systemd config was made a bit stricter by default. For - instance, `ProtectHome=on` was added. You can override this using the - standard `systemctl edit rsync` and add a line to turn that off under a - `[Service]` heading. - - The use of `--backup-dir=STR` now implies `--backup`. - Added `--zl=NUM` as a short-hand for `--compress-level=NUM`. @@ -201,6 +197,13 @@ Protocol: 31 (unchanged) ### ENHANCEMENTS: + - The default systemd config was made stricter by default. For instance, + `ProtectHome=on` (which hides content in /root and /home/USER dirs), + `ProtectSystem=full` (which makes /usr, /boot, & /etc dirs read-only), and + `PrivateDevices=on` (which hides devices). You can override any of these + using the standard `systemctl edit rsync` and add one or more directives + under a `[Service]` heading (and restart the rsync service). + - Various checksum enhancements, including the optional use of openssl's MD4 & MD5 checksum algorithms, some x86-64 optimizations for the rolling checksum, some x86-64 optimizations for the (non-openssl) MD5 checksum, the addition diff --git a/packaging/systemd/rsync.service b/packaging/systemd/rsync.service index 5955db9e..8a0b5820 100644 --- a/packaging/systemd/rsync.service +++ b/packaging/systemd/rsync.service @@ -16,14 +16,14 @@ RestartSec=1 # This is generally used for public file distribution, [...] # # So let's assume some extra security is more than welcome here. We do full -# system protection (which makes it read-only) and hide users' homes and +# system protection (which makes /usr, /boot, & /etc read-only) and hide # devices. To override these defaults, it's best to do so in the drop-in # directory, often done via `systemctl edit rsync.service`. The file needs # just the bare minimum of the right [heading] and override values. # See systemd.unit(5) and search for "drop-in" for full details. ProtectSystem=full -#ProtectHome=on +#ProtectHome=on|off|read-only PrivateDevices=on NoNewPrivileges=on diff --git a/packaging/systemd/rsync@.service b/packaging/systemd/rsync@.service index 3168cb61..63ba0c7c 100644 --- a/packaging/systemd/rsync@.service +++ b/packaging/systemd/rsync@.service @@ -16,13 +16,13 @@ StandardError=journal # This is generally used for public file distribution, [...] # # So let's assume some extra security is more than welcome here. We do full -# system protection (which makes it read-only) and hide users' homes and +# system protection (which makes /usr, /boot, & /etc read-only) and hide # devices. To override these defaults, it's best to do so in the drop-in # directory, often done via `systemctl edit rsync@.service`. The file needs # just the bare minimum of the right [heading] and override values. # See systemd.unit(5) and search for "drop-in" for full details. ProtectSystem=full -#ProtectHome=on +#ProtectHome=on|off|read-only PrivateDevices=on NoNewPrivileges=on -- The rsync repository. _______________________________________________ rsync-cvs mailing list rsync-cvs@lists.samba.org https://lists.samba.org/mailman/listinfo/rsync-cvs