El 26/07/12 06:09, Peter Lemenkov escribió: > Hello All. > I'm trying to write a systemd service for epmd (Erlang Port Mapper > Daemon, if someone is curious). its only purpose is to open a TCP port > 4369 at 0.0.0.0 and act as a simple messaging (very simple actually) > bus between erlang nodes. I'd like to run it w/o anything and under a > most restricted system account. So far I'm using this service: > > ================ > [Unit] > Description=Erlang Port Mapper Daemon > After=network.target > > [Service] > User=nobody > Group=nobody > Type=simple > PrivateTmp=true > NoNewPrivileges=true > ExecStart=/usr/bin/epmd > ExecSop=/usr/bin/epmd -kill > > [Install] > WantedBy=multi-user.target > ================ > > Could someone propose me something to restrict it further? it really > doesn't need fs access, no exec, no /dev/* access, etc - just open > socket and send/receive messages. Any advise will be very > appreciated). >
You also need access to /dev/zero, /dev/null, /dev/urandom and to your OS 's nscd socket path, even if your program does not use them. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
