Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-09-27 19:15:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

limit nginx service capabilities

Browse Source 
Running nginx as non-root would be possible via CAP_NET_BIND_SERVICE as
an ambient capability but it would be inherited by workers. It's better
to leave the supervisor process as root for the time being unless nginx
was taught to use socket activation or drop capabilities for workers.
This commit is contained in:
Daniel Micay 2022-08-10 09:07:25 -04:00
parent ca7c036e8c
commit afce4f2a51
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
systemd/system/nginx.service.d/hardening.conf
View File

@ -1,4 +1,5 @@
[Service]
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
LockPersonality=true
NoNewPrivileges=true
MemoryDenyWriteExecute=true