lobon (Mailman-VM) #30

Merged
Gonne merged 5 commits from Gonne/nixConfig:lobon into main 2024-10-12 14:10:02 +00:00
Showing only changes of commit 081b9a9d34 - Show all commits

View file

@ -93,7 +93,25 @@ in {
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = "mailman"; User = "mailman";
NoNewPrivileges = true;
Outdated
Review

can we set NoNewPrivileges = true;? or does it break the service?

And one could read the Sandboxing part of systemd.exec(5)

can we set `NoNewPrivileges = true;`? or does it break the service? And one could read the Sandboxing part of `systemd.exec(5)`
Outdated
Review

Yes, I added a bunch of them in f334e00d01 that seemed reasonable and don't break the updater. Notably, I left out ExecPaths= and NoExecPaths= because the correct values are unclear to me.

Yes, I added a bunch of them in f334e00d01 that seemed reasonable and don't break the updater. Notably, I left out `ExecPaths=` and `NoExecPaths=` because the correct values are unclear to me.
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
PrivateTmp = true; PrivateTmp = true;
ProtectHome = true;
ReadOnlyPaths = "/";
ReadWritePaths = "/tmp";
InaccessiblePaths = "-/lost+found";
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
}; };
}; };
nerf marked this conversation as resolved Outdated
Outdated
Review

This is probably a bigger refactoring pull request and outside the scope of this one.
We could think making it easier configurable that backups are made by a user that can
basically read everything but not write.

This is probably a bigger refactoring pull request and outside the scope of this one. We could think making it easier configurable that backups are made by a user that can basically read everything but not write.