diff --git a/contrib/init/dashd.service b/contrib/init/dashd.service index 8bdb2ae207..5dfd7c0c4d 100644 --- a/contrib/init/dashd.service +++ b/contrib/init/dashd.service @@ -5,8 +5,9 @@ # See "man systemd.service" for details. # Note that almost all daemon options could be specified in -# /etc/dash/dash.conf, except for those explicitly specified as arguments -# in ExecStart= +# /etc/dash/dash.conf, but keep in mind those explicitly +# specified as arguments in ExecStart= will override those in the +# config file. [Unit] Description=Dash daemon @@ -18,6 +19,10 @@ ExecStart=/usr/bin/dashd -daemon \ -conf=/etc/dash/dash.conf \ -datadir=/var/lib/dashd +# Make sure the config directory is readable by the service user +PermissionsStartOnly=true +ExecStartPre=/bin/chgrp dashcore /etc/dash + # Process management #################### @@ -54,6 +59,9 @@ PrivateTmp=true # Mount /usr, /boot/ and /etc read-only for the process. ProtectSystem=full +# Deny access to /home, /root and /run/user +ProtectHome=true + # Disallow the process and all of its children to gain # new privileges through execve(). NoNewPrivileges=true diff --git a/doc/init.md b/doc/init.md index 4b4c5da565..f5d2891912 100644 --- a/doc/init.md +++ b/doc/init.md @@ -59,11 +59,11 @@ Data directory: `/var/lib/dashd` PID file: `/var/run/dashd/dashd.pid` (OpenRC and Upstart) or `/run/dashd/dashd.pid` (systemd) Lock file: `/var/lock/subsys/dashd` (CentOS) -The configuration file, PID directory (if applicable) and data directory -should all be owned by the dashcore user and group. It is advised for security -reasons to make the configuration file and data directory only readable by the -dashcore user and group. Access to dash-cli and other dashd rpc clients -can then be controlled by group membership. +The PID directory (if applicable) and data directory should both be owned by the +dashcore user and group. It is advised for security reasons to make the +configuration file and data directory only readable by the dashcore user and +group. Access to dash-cli and other dashd rpc clients can then be +controlled by group membership. NOTE: When using the systemd .service file, the creation of the aforementioned directories and the setting of their permissions is automatically handled by