From 6d1daa0424c168eae4bfa9f6772add3f77ec506f Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 20 May 2020 15:46:27 +0200 Subject: postfix-sender-login: Better hardening. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Run as a dedicated user, not ‘postfix’. --- roles/MSA/files/etc/systemd/system/postfix-sender-login.service | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'roles/MSA/files/etc/systemd/system') diff --git a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service index f5e6d89..d652f75 100644 --- a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service +++ b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service @@ -4,8 +4,7 @@ After=mail-transport-agent.target Requires=postfix-sender-login.socket [Service] -User=postfix -Group=postfix +User=_postfix-sender-login StandardInput=null SyslogFacility=mail ExecStart=/usr/local/bin/postfix-sender-login.pl @@ -13,10 +12,9 @@ ExecStart=/usr/local/bin/postfix-sender-login.pl # Hardening NoNewPrivileges=yes PrivateDevices=yes +PrivateNetwork=yes ProtectHome=yes ProtectSystem=strict -PrivateDevices=yes -PrivateNetwork=yes ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes -- cgit v1.2.3