Verified Commit 501f2adc authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

Harden the aurweb tuvotereminder service

This service only requires MySQL access and ability to submit an email.
parent 9a831e39
Pipeline #5398 passed with stage
in 45 seconds
......@@ -7,3 +7,27 @@ After=mysqld.service
Type=oneshot
User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-tuvotereminder
NoNewPrivileges=true
LockPersonality=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true
ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true
ProtectProc=noaccess
SystemCallArchitectures=native
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment