Set ProtectHome in systemd service file

Further hardening; the service should be run with as many restrictions as possible without breaking it.
author: setpill <[email protected]> 2019-08-06 14:34:07 +0200
committer: setpill <[email protected]> 2019-08-20 10:54:14 +0200
commit: 870d4152dfc3d990e336723562948835c2dbd646 (patch)
tree: 8de4a04e5c6c6ae8dd26db1960a132586a2cf374 /contrib/init
parent: Chgrp config dir to bitcoin in systemd service (diff)
download: discoin-870d4152dfc3d990e336723562948835c2dbd646.tar.xz
discoin-870d4152dfc3d990e336723562948835c2dbd646.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service
index 5f9a64909..34c3e7b3a 100644
--- a/contrib/init/bitcoind.service
+++ b/contrib/init/bitcoind.service
@@ -58,6 +58,9 @@ PrivateTmp=true
 # Mount /usr, /boot/ and /etc read-only for the process.
 ProtectSystem=full
 
+# Deny access to /home, /root and /run/user
+ProtectHome=true
+
 # Disallow the process and all of its children to gain
 # new privileges through execve().
 NoNewPrivileges=true
author	setpill <[email protected]>	2019-08-06 14:34:07 +0200
committer	setpill <[email protected]>	2019-08-20 10:54:14 +0200
commit	870d4152dfc3d990e336723562948835c2dbd646 (patch)
tree	8de4a04e5c6c6ae8dd26db1960a132586a2cf374 /contrib/init
parent	Chgrp config dir to bitcoin in systemd service (diff)
download	discoin-870d4152dfc3d990e336723562948835c2dbd646.tar.xz discoin-870d4152dfc3d990e336723562948835c2dbd646.zip