Harden AUR systemd services and fpm configuration

The systemd unit's for the AUR can be hardened to sandbox them further:

  • aurweb-popupdate
  • aurweb-tuvotereminder
  • aurweb-pkgmaint
  • aurweb-mkpkglists
  • aurweb-git (does not require any network interaction!)
  • aurweb-aurblup
  • aurweb-memcached

The php-fpm configuration can disable some functions which can be used by attackers to execute arbitrary commands: php_admin_value[disable_functions] = passthru, exec, proc_open, shell_exec, system, popen

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information