On 3/7/19 4:48 PM, Schanzenbach, Martin wrote: > Hi, > >> On 7. Mar 2019, at 15:28, [email protected] wrote: >> >> I just learned about a couple more specific systemd settings. >> The ones I think which could be useful to extend our systemd >> example service with are below. >> >>> PrivateTmp: >>> Use private /tmp and /var/tmp folders inside a new file system namespace, >>> which are discarded after the process stops. > > GNUnet has lots of things that need persistance. Like cryptographic keys.
Rifhr, but ever anything in /tmp. So this should be fine. >> >>> ProtectHome: >>> The /home, /root, and /run/user folders can not be accessed by this service >>> anymore. If your Pleroma user has its home folder in one of the restricted >>> places, or use one of these folders as its working directory, you have to >>> set this to false. >> This breaks file-sharing indexing. So this should (with the current implementation of FS) not be done for gnunet-service-fs by default. Note that my planned (for 2030...) re-design of FS would lift this restriction and enable setting ProtectHome. > See above. /home/<user>/.config/gnunet et al. > >>> ProtectSystem: >>> Mount /usr, /boot, and /etc as read-only for processes invoked by this >>> service. >> > This might be interesting wrt hardening? Idk. Yes, and GNUnet by design respects /usr, /boot and /etc being read-only. So it would be a good thing for security to enforce this on platforms where this is easily done.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ GNUnet-developers mailing list [email protected] https://lists.gnu.org/mailman/listinfo/gnunet-developers
