systemd hardening

memcached should be isolated and restricted as much as possible to improve security so that if memcached is compromised, the damage will be limited.
author: Craig Andrews <candrews@integralblue.com> 2016-06-28 15:06:54 -0400
committer: dormando <dormando@rydia.net> 2016-07-01 18:11:40 -0700
commit: 6b52e0196ceb904570b2ae8cc9b38930d27e9f47 (patch)
tree: a0157b14b4070c29887889b48094f7984d9231e9 /scripts
parent: bc0eb83bb29d586ddb1753e5c0bc9a0f4c1867f5 (diff)
download: memcached-6b52e0196ceb904570b2ae8cc9b38930d27e9f47.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/scripts/memcached.service b/scripts/memcached.service
index e896dd7..fbeb03d 100644
--- a/scripts/memcached.service
+++ b/scripts/memcached.service
@@ -6,5 +6,13 @@ After=network.target
 EnvironmentFile=/etc/sysconfig/memcached
 ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
 
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
+# Required for dropping privileges and running as a different user
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID
+
 [Install]
 WantedBy=multi-user.target
author	Craig Andrews <candrews@integralblue.com>	2016-06-28 15:06:54 -0400
committer	dormando <dormando@rydia.net>	2016-07-01 18:11:40 -0700
commit	6b52e0196ceb904570b2ae8cc9b38930d27e9f47 (patch)
tree	a0157b14b4070c29887889b48094f7984d9231e9 /scripts
parent	bc0eb83bb29d586ddb1753e5c0bc9a0f4c1867f5 (diff)
download	memcached-6b52e0196ceb904570b2ae8cc9b38930d27e9f47.tar.gz