mirror of
https://github.com/yrutschle/sslh.git
synced 2025-04-13 15:47:15 +03:00
760def3444
Update documentation CAP_NET_ADMIN -> CAP_NET_RAW. Remove useless capabilities CAP_SETUID CAP_SETGID in service unit files. There are only useful if not using either User=sslh nor DynamicUser=true
28 lines
617 B
Desktop File
28 lines
617 B
Desktop File
[Unit]
|
|
Description=SSL/SSH multiplexer
|
|
After=network.target
|
|
|
|
[Service]
|
|
EnvironmentFile=/etc/conf.d/sslh
|
|
ExecStart=/usr/sbin/sslh --foreground $DAEMON_OPTS
|
|
KillMode=process
|
|
#Hardening
|
|
PrivateTmp=true
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
SecureBits=noroot-locked
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
ProtectControlGroups=true
|
|
MountFlags=private
|
|
NoNewPrivileges=true
|
|
PrivateDevices=true
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
MemoryDenyWriteExecute=true
|
|
DynamicUser=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|