From a46934c825d5dea4154fb100abf26ec3bc28d5a4 Mon Sep 17 00:00:00 2001
From: Michael Koppmann <me@mkoppmann.at>
Date: Sat, 15 Dec 2018 16:04:23 +0000
Subject: [PATCH] more systemd service hardening (#1488)

---
 support/systemd/peertube.service | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service
index c1bdcf760b..fba644788d 100644
--- a/support/systemd/peertube.service
+++ b/support/systemd/peertube.service
@@ -28,6 +28,11 @@ PrivateDevices=false
 ; Ensures that the service process and all its children can never gain new
 ; privileges through execve().
 NoNewPrivileges=true
+; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
+; by this unit. Make sure that you do not depend on data inside these folders.
+ProtectHome=true
+; Drops the sys admin capability from the daemon.
+CapabilityBoundingSet=~CAP_SYS_ADMIN
 
 [Install]
 WantedBy=multi-user.target
-- 
GitLab