update rsync systemd unit, add more security features

author Christian Hesse <mail@eworm.de>

Wed, 17 Jun 2020 08:15:32 +0000 (10:15 +0200)

committer Wayne Davison <wayne@opencoder.net>

Wed, 17 Jun 2020 16:19:12 +0000 (09:19 -0700)
author Christian Hesse <mail@eworm.de>
Wed, 17 Jun 2020 08:15:32 +0000 (10:15 +0200)
committer Wayne Davison <wayne@opencoder.net>
Wed, 17 Jun 2020 16:19:12 +0000 (09:19 -0700)
diff --git a/packaging/systemd/rsync.service b/packaging/systemd/rsync.service

index f64d2b6ba2f4c0a56d782da58b608836f62e8351..ea978141941a233abd9693999ab1bba502a145e9 100644 (file)
--- a/packaging/systemd/rsync.service
+++ b/packaging/systemd/rsync.service
@@ -1,9 +1,27 @@
  [Unit]
  Description=fast remote file copy program daemon
  ConditionPathExists=/etc/rsyncd.conf
+After=network.target
  
  [Service]
  ExecStart=/usr/bin/rsync --daemon --no-detach
+RestartSec=1
+
+# Citing README.md:
+#
+#   [...] Using ssh is recommended for its security features.
+#
+#   Alternatively, rsync can run in `daemon' mode, listening on a socket.
+#   This is generally used for public file distribution, [...]
+#
+# So let's assume some extra security is more than welcome here. We do full
+# system protection (which makes it read-only) and hide users' homes and
+# devices. See systemd.unit(5) and search for "drop-in" to override.
+
+ProtectSystem=full
+ProtectHome=on
+PrivateDevices=on
+NoNewPrivileges=on
  
  [Install]
  WantedBy=multi-user.target
author	Christian Hesse <mail@eworm.de>
	Wed, 17 Jun 2020 08:15:32 +0000 (10:15 +0200)
committer	Wayne Davison <wayne@opencoder.net>
	Wed, 17 Jun 2020 16:19:12 +0000 (09:19 -0700)