Harden AUR systemd services and fpm configuration
The systemd unit's for the AUR can be hardened to sandbox them further:
-
aurweb-popupdate -
aurweb-tuvotereminder -
aurweb-pkgmaint -
aurweb-mkpkglists -
aurweb-git (does not require any network interaction!) -
aurweb-aurblup -
aurweb-memcached
The php-fpm configuration can disable some functions which can be used by attackers to execute arbitrary commands:
php_admin_value[disable_functions] = passthru, exec, proc_open, shell_exec, system, popen