theraw/The-World-Is-Yours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

systemd: hardening — ProtectSystem=strict, ReadOnlyPaths for /raweb + /srv + letsencrypt, ReadWritePaths for /run + logs; explicitly skip MemoryDenyWriteExecute + ~@resources (known to break LuaJIT/setrlimit)
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m9s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 4m39s
Details

Browse Source
This commit is contained in:
root
2026-05-15 18:19:17 +00:00
parent 4e04e27682
commit 9e8d14bd5d
2 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
static/Raccoon/nginx.service
+31
View File
@@ -15,5 +15,36 @@ ExecStop=/bin/sh -c "/bin/kill -s QUIT $(/bin/cat /run/nginx.pid)"
TimeoutStartSec=10 TimeoutStartSec=10
LimitNOFILE=65535 LimitNOFILE=65535
# === hardening (compatible with LuaJIT + nginx workers + raweb agent) ===
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true
PrivateDevices=true
PrivateTmp=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
# ProtectSystem=strict makes the entire filesystem read-only EXCEPT these.
# /run covers nginx.pid, nginx.lock, and the temp/ subdir (all tmpfs).
ReadWritePaths=/run /var/log/nginx /nginx /hostdata
# Read-only paths nginx legitimately accesses. ProtectSystem=strict already
# allows reads everywhere by default — these are documented for the operator's
# benefit (and so they survive future hardening tightening).
ReadOnlyPaths=/raweb /srv /etc/letsencrypt
# NOTE deliberately OFF:
# MemoryDenyWriteExecute=true breaks LuaJIT (JIT writable+executable pages)
# SystemCallFilter=~@resources breaks nginx workers' prlimit64()
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
static/Trixie/nginx.service
+31
View File
@@ -15,5 +15,36 @@ ExecStop=/bin/sh -c "/bin/kill -s QUIT $(/bin/cat /run/nginx.pid)"
TimeoutStartSec=10 TimeoutStartSec=10
LimitNOFILE=65535 LimitNOFILE=65535
# === hardening (compatible with LuaJIT + nginx workers + raweb agent) ===
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true
PrivateDevices=true
PrivateTmp=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
# ProtectSystem=strict makes the entire filesystem read-only EXCEPT these.
# /run covers nginx.pid, nginx.lock, and the temp/ subdir (all tmpfs).
ReadWritePaths=/run /var/log/nginx /nginx /hostdata
# Read-only paths nginx legitimately accesses. ProtectSystem=strict already
# allows reads everywhere by default — these are documented for the operator's
# benefit (and so they survive future hardening tightening).
ReadOnlyPaths=/raweb /srv /etc/letsencrypt
# NOTE deliberately OFF:
# MemoryDenyWriteExecute=true breaks LuaJIT (JIT writable+executable pages)
# SystemCallFilter=~@resources breaks nginx workers' prlimit64()
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target