-
Notifications
You must be signed in to change notification settings - Fork 479
Expand file tree
/
Copy pathrsync@.service
More file actions
52 lines (46 loc) · 1.46 KB
/
rsync@.service
File metadata and controls
52 lines (46 loc) · 1.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
[Unit]
Description=fast remote file copy program daemon
After=network.target
[Service]
ExecStart=-/usr/bin/rsync --daemon
StandardInput=socket
StandardOutput=inherit
StandardError=journal
# Citing README.md:
#
# [...] Using ssh is recommended for its security features.
#
# Alternatively, rsync can run in `daemon' mode, listening on a socket.
# This is generally used for public file distribution, [...]
#
# So let's assume some extra security is more than welcome here. We do full
# system protection (which makes /usr, /boot, & /etc read-only) and hide
# devices. To override these defaults, it's best to do so in the drop-in
# directory, often done via `systemctl edit rsync@.service`. The file needs
# just the bare minimum of the right [heading] and override values.
# See systemd.unit(5) and search for "drop-in" for full details.
ProtectSystem=full
#ProtectHome=on|off|read-only
# These are general hardening parameters that should not affect file access
PrivateDevices=on
NoNewPrivileges=on
MemoryDenyWriteExecute=on
LockPersonality=on
PrivateTmp=on
ProtectClock=on
ProtectControlGroups=on
ProtectHostname=on
ProtectKernelLogs=on
ProtectKernelModules=on
ProtectKernelTunables=on
ProtectProc=invisible
ProcSubset=pid
RestrictNamespaces=on
RestrictRealtime=on
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
# These settings work only for inetd-style activation
RestrictAddressFamilies=AF_UNIX
PrivateNetwork=on
IPAddressDeny=any