From 3f8fbc4e12250f0eed9a2ee57e77042b7d863b4f Mon Sep 17 00:00:00 2001 From: "Alexander \"Arav\" Andreev" Date: Wed, 30 Mar 2022 01:32:00 +0400 Subject: [PATCH] Another attempt on restricting executable paths. --- init/systemd/dwelling-upload-clean.service | 3 +++ 1 file changed, 3 insertions(+) diff --git a/init/systemd/dwelling-upload-clean.service b/init/systemd/dwelling-upload-clean.service index 15f5033..5f98df4 100755 --- a/init/systemd/dwelling-upload-clean.service +++ b/init/systemd/dwelling-upload-clean.service @@ -6,9 +6,12 @@ Type=oneshot User=dwupload Group=dwupload ExecStart=/usr/bin/dwelling-upload-clean -conf /etc/dwelling/upload.yaml + ReadOnlyPaths=/ # Set here path to directory where uploads are stored. ReadWritePaths=/srv/upload +NoExecPaths=/ +ExecPaths=/usr/bin/dwelling-upload-clean LogsDirectory=dwelling-upload