diff options
author | Craig Andrews <candrews@integralblue.com> | 2016-06-28 15:06:54 -0400 |
---|---|---|
committer | dormando <dormando@rydia.net> | 2016-07-01 18:11:40 -0700 |
commit | 6b52e0196ceb904570b2ae8cc9b38930d27e9f47 (patch) | |
tree | a0157b14b4070c29887889b48094f7984d9231e9 /scripts | |
parent | bc0eb83bb29d586ddb1753e5c0bc9a0f4c1867f5 (diff) | |
download | memcached-6b52e0196ceb904570b2ae8cc9b38930d27e9f47.tar.gz |
systemd hardening
memcached should be isolated and restricted as much as possible to improve security so that if memcached is compromised, the damage will be limited.
Diffstat (limited to 'scripts')
-rw-r--r-- | scripts/memcached.service | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/scripts/memcached.service b/scripts/memcached.service index e896dd7..fbeb03d 100644 --- a/scripts/memcached.service +++ b/scripts/memcached.service @@ -6,5 +6,13 @@ After=network.target EnvironmentFile=/etc/sysconfig/memcached ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS +PrivateTmp=true +ProtectSystem=full +NoNewPrivileges=true +PrivateDevices=true + +# Required for dropping privileges and running as a different user +CapabilityBoundingSet=CAP_SETGID CAP_SETUID + [Install] WantedBy=multi-user.target |