From db8cff3ccb090c53b831f7f5e0b3a7f7e3d858c8 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 2 Nov 2022 19:14:34 +0000 Subject: [PATCH] Add no_new_privilegese to some additional services --- cookbooks/blogs/recipes/default.rb | 1 + cookbooks/dns/recipes/default.rb | 1 + cookbooks/geoipupdate/recipes/default.rb | 1 + cookbooks/tilelog/recipes/default.rb | 1 + 4 files changed, 4 insertions(+) diff --git a/cookbooks/blogs/recipes/default.rb b/cookbooks/blogs/recipes/default.rb index 681118f95..c4d425a56 100644 --- a/cookbooks/blogs/recipes/default.rb +++ b/cookbooks/blogs/recipes/default.rb @@ -87,6 +87,7 @@ systemd_service "blogs-update" do protect_system "strict" protect_home true read_write_paths "/srv/blogs.openstreetmap.org" + no_new_privileges true end systemd_timer "blogs-update" do diff --git a/cookbooks/dns/recipes/default.rb b/cookbooks/dns/recipes/default.rb index 7b8c5b6e7..d25c45731 100644 --- a/cookbooks/dns/recipes/default.rb +++ b/cookbooks/dns/recipes/default.rb @@ -178,6 +178,7 @@ systemd_service "dns-check" do protect_system "strict" protect_home true read_write_paths "/var/lib/dns" + no_new_privileges true end systemd_timer "dns-check" do diff --git a/cookbooks/geoipupdate/recipes/default.rb b/cookbooks/geoipupdate/recipes/default.rb index 417d32013..c11b451dc 100644 --- a/cookbooks/geoipupdate/recipes/default.rb +++ b/cookbooks/geoipupdate/recipes/default.rb @@ -47,6 +47,7 @@ systemd_service "geoipupdate" do protect_system "strict" protect_home true read_write_paths node[:geoipupdate][:directory] + no_new_privileges true end systemd_timer "geoipupdate" do diff --git a/cookbooks/tilelog/recipes/default.rb b/cookbooks/tilelog/recipes/default.rb index b911dacff..8a53bab54 100644 --- a/cookbooks/tilelog/recipes/default.rb +++ b/cookbooks/tilelog/recipes/default.rb @@ -60,6 +60,7 @@ systemd_service "tilelog" do protect_system "strict" protect_home true read_write_paths tilelog_output_directory + no_new_privileges true end systemd_timer "tilelog" do -- 2.43.2