From: Christian Hesse <mail@eworm.de>
Date: Wed, 17 Jun 2020 08:15:32 +0000 (+0200)
Subject: update rsync systemd unit, add more security features
X-Git-Tag: v3.2.0pre3~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=69f445fd094680a1d5c7f4eabed2b7559ed8dd0f;p=thirdparty%2Frsync.git

update rsync systemd unit, add more security features
---

diff --git a/packaging/systemd/rsync.service b/packaging/systemd/rsync.service
index f64d2b6b..ea978141 100644
--- a/packaging/systemd/rsync.service
+++ b/packaging/systemd/rsync.service
@@ -1,9 +1,27 @@
 [Unit]
 Description=fast remote file copy program daemon
 ConditionPathExists=/etc/rsyncd.conf
+After=network.target
 
 [Service]
 ExecStart=/usr/bin/rsync --daemon --no-detach
+RestartSec=1
+
+# Citing README.md:
+#
+#   [...] Using ssh is recommended for its security features.
+#
+#   Alternatively, rsync can run in `daemon' mode, listening on a socket.
+#   This is generally used for public file distribution, [...]
+#
+# So let's assume some extra security is more than welcome here. We do full
+# system protection (which makes it read-only) and hide users' homes and
+# devices. See systemd.unit(5) and search for "drop-in" to override.
+
+ProtectSystem=full
+ProtectHome=on
+PrivateDevices=on
+NoNewPrivileges=on
 
 [Install]
 WantedBy=multi-user.target