Stowage/rest-server
2
0
Fork 0
mirror of https://github.com/restic/rest-server.git synced 2025-10-19 15:43:21 +00:00
Code Issues Projects Releases Packages Wiki Activity
rest-server/examples
History
Andreas Olsson a994d347ca
Make example systemd service more restrictive 
In addition to any existing filesystem restrictions on the (www-data)
backup user these config options uses namespaces and other kernel
features to further restrict what the _rest-server_ is allowed to do.

* `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures
  that the _rest-server_ is only allowed to write to its data directory.

* `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_
  gets (read) access to.

* `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid
  binaries, etc to escalate its privileges.

See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
for further details

While at I also replaced the _/tmp/restic_ path with a more explicit
placeholder path. Given that one rarely wants to backup to _/tmp_ I
figured it better to force a choice of path rather than to have
someone accidentally end up using _/tmp/restic_ for their backups.
2020-09-13 14:21:32 +02:00
..
bsd remove ip from freebsd example 2018-03-01 08:08:33 +01:00
compose-with-grafana Update examples/compose-with-grafana/README.md 2018-01-21 19:36:01 +01:00
systemd Make example systemd service more restrictive 2020-09-13 14:21:32 +02:00