From b8bb4b5ae9314e3b570d80e0d97555561e315d39 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Mon, 3 May 2021 23:55:17 +0200 Subject: [PATCH] Move systemd unit hardening from 'supybot-botchk' to 'security' 'supybot-botchk' is meant for beginners, they don't need/want to deal with this. --- use/security.rst | 11 +++++++++++ use/supybot-botchk.rst | 5 ----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/use/security.rst b/use/security.rst index 17af0e1..c8bb01c 100755 --- a/use/security.rst +++ b/use/security.rst @@ -173,3 +173,14 @@ Again, if this is undesirable to you, you can do the following: Note that, when asking for help involving an error, you should enable verbose errors when providing logs (ie. reset these last values to their default), so it is easier to help you diagnose your problems. + +Finally, if you use :ref:`the systemd unit `, you can add +this to its ``[Service]]`` section: + + SystemCallFilter=~@raw-io @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io + ProtectSystem=strict + ProtectHome=read-only + ReadWritePaths=/home/bot/botname + +This might break some plugins, but most will work. You will get explicit +errors if this is an issue, and you can always revert back. diff --git a/use/supybot-botchk.rst b/use/supybot-botchk.rst index 259472d..22576aa 100644 --- a/use/supybot-botchk.rst +++ b/use/supybot-botchk.rst @@ -33,11 +33,6 @@ following content replacing things were suitable:: Restart=always User=BOTUSERNAME SyslogIdentifier=Supybot - # Uncomment these lines for extra security at the cost of breaking some third-party plugins: - # SystemCallFilter=~@raw-io @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io - # ProtectSystem=strict - # ProtectHome=read-only - # ReadWritePaths=/home/bot/botname [Install] WantedBy=multi-user.target