INN commit: trunk/contrib (sample.init.systemd)
INN Commit
rra at isc.org
Thu Nov 26 19:37:49 UTC 2020
Date: Thursday, November 26, 2020 @ 11:37:48
Author: iulius
Revision: 10429
Improve sample init systemd service unit
Apply more protections.
Sample shared by Russ Allbery.
Modified:
trunk/contrib/sample.init.systemd
---------------------+
sample.init.systemd | 32 +++++++++++++++++++++++---------
1 file changed, 23 insertions(+), 9 deletions(-)
Modified: sample.init.systemd
===================================================================
--- sample.init.systemd 2020-11-24 07:20:05 UTC (rev 10428)
+++ sample.init.systemd 2020-11-26 19:37:48 UTC (rev 10429)
@@ -3,20 +3,34 @@
# This is a simple, bare-bones example of a systemd-style init script for INN.
#
[Unit]
-Description=InterNetNews Daemon
+Description=InterNetNews News Server
Documentation=https://www.eyrie.org/~eagle/software/inn/
-After=syslog.target network.target
+After=network.target
ConditionPathExists=/etc/news/inn.conf
[Service]
+Type=forking
+ExecStart=/usr/lib/news/bin/rc.news
+ExecReload=/usr/sbin/ctlinnd -t 20 reload '' 'systemd unit reload'
+ExecStop=/bin/su -m news -s /bin/sh -c '/usr/lib/news/bin/rc.news stop'
+PIDFile=/run/news/innd.pid
User=news
-PermissionsStartOnly=true
-PIDFile=/run/news/innd.pid
-Type=forking
-ExecStart=/usr/libexec/news/rc.news
-ExecReload=/usr/libexec/news/ctlinnd -t 20 reload '' 'reload asked'
-ExecStop=/bin/su -m news -s /bin/sh -c '/usr/libexec/news/rc.news stop'
-KillMode=control-group
+Group=news
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+PrivateDevices=true
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RuntimeDirectory=news
+# Setting NoNewPrivileges will break most local sendmail implementations
+# because they're setuid or setgid to drop off mail in the mail queue. With
+# this configuration, one can use mSMTP as the configured mta, set to forward
+# mail via SMTP to localhost. Nevertheless, one can probably do better than
+# this by adding some syscall filtering.
+#NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
More information about the inn-committers
mailing list