On 07/26/2012 12:09 PM, Peter Lemenkov wrote: > Hello All. > I'm trying to write a systemd service for epmd (Erlang Port Mapper > Daemon, if someone is curious). its only purpose is to open a TCP port > 4369 at 0.0.0.0 and act as a simple messaging (very simple actually) > bus between erlang nodes. I'd like to run it w/o anything and under a > most restricted system account. So far I'm using this service: > > ================ > [Unit] > Description=Erlang Port Mapper Daemon > After=network.target > > [Service] > User=nobody > Group=nobody > Type=simple > PrivateTmp=true > NoNewPrivileges=true > ExecStart=/usr/bin/epmd > ExecSop=/usr/bin/epmd -kill > > [Install] > WantedBy=multi-user.target > ================ > > Could someone propose me something to restrict it further? it really > doesn't need fs access, no exec, no /dev/* access, etc - just open > socket and send/receive messages. Any advise will be very > appreciated). Hi,
1. change nobody to a custom user. Nobody is used by nfs for unmappable users, and thus should not be used for unprivileged daemons. 2. Type=simple is default, can be dropped. 3. Add RootDirectory=/var/empty 4. If you convert it to socket activation, then it won't even need the privilege to open sockets. 4. Add SystemCallFilter=recv,recvmsg,sendmsg,... (whatever is necessary). HTH, Zbyszek _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel