Skip to content

Commit

Permalink
Edit the systemd service file of net-vpn/cloudflared to harden the sy…
Browse files Browse the repository at this point in the history 
…stem
  • Loading branch information
@hacc1225
hacc1225 committed Mar 17, 2024
1 parent 364f0cc commit 7c20fc3
Showing 1 changed file with 8 additions and 5 deletions.
13 changes: 8 additions & 5 deletions net-vpn/cloudflared/files/cloudflared.service
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,14 @@ Wants=network.target
[Service]
Type=notify
ExecStart=/usr/bin/cloudflared --config /etc/cloudflared/config.yml --no-autoupdate
User=cloudflared
Group=cloudflared
DynamicUser=true
PrivateUsers=true
Restart=on-failure
RestartSec=5s
TimeoutStartSec=0

# Allow cloudflared access to logfile
ReadWritePaths=/var/log/cloudflared.log
LogsDirectory=cloudflared
ConfigurationDirectory=cloudflared

# Allow cloudflared to bind ports in the range of 0-1024 and restrict it to
# that capability
Expand All @@ -24,7 +24,6 @@ AmbientCapabilities=CAP_NET_BIND_SERVICE
# drop-in file
#CapabilityBoundingSet=
#AmbientCapabilities=
#PrivateUsers=yes

NoNewPrivileges=true
LimitNOFILE=1048576
Expand All @@ -33,6 +32,7 @@ UMask=0077
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateMounts=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
Expand All @@ -52,5 +52,8 @@ SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native

NoExecPaths=/
ExecPaths=/usr/bin/cloudflared /usr/lib64 /usr/lib

[Install]
WantedBy=multi-user.target

0 comments on commit 7c20fc3

Please sign in to comment.