| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788 |
- # It's not recommended to modify this file in-place, because it will be
- # overwritten during upgrades. If you want to customize, the best
- # way is to use the "systemctl edit" command to create an override unit.
- #
- # For example, to pass additional options, create an override unit
- # (as is done by systemctl edit) and enter the following:
- #
- # [Service]
- # Environment=OPTIONS="-l 127.0.0.1,::1"
- [Unit]
- Description=memcached daemon
- After=network.target
- [Service]
- Environment=PORT=11211
- Environment=USER=memcached
- Environment=MAXCONN=1024
- Environment=CACHESIZE=256
- Environment="OPTIONS=-l 127.0.0.1"
- ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
- # Set up a new file system namespace and mounts private /tmp and /var/tmp
- # directories so this service cannot access the global directories and
- # other processes cannot access this service's directories.
- PrivateTmp=true
- # Mounts the /usr, /boot, and /etc directories read-only for processes
- # invoked by this unit.
- ProtectSystem=full
- # Ensures that the service process and all its children can never gain new
- # privileges
- NoNewPrivileges=true
- # Sets up a new /dev namespace for the executed processes and only adds API
- # pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as
- # the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda.
- PrivateDevices=true
- # Required for dropping privileges and running as a different user
- CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
- # Restricts the set of socket address families accessible to the processes
- # of this unit. Protects against vulnerabilities such as CVE-2016-8655
- RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
- # Some security features are not in the older versions of systemd used by
- # e.g. RHEL7/CentOS 7. The below settings are automatically edited at package
- # build time to uncomment them if the target platform supports them.
- # Attempts to create memory mappings that are writable and executable at
- # the same time, or to change existing memory mappings to become executable
- # are prohibited.
- ##safer##MemoryDenyWriteExecute=true
- # Explicit module loading will be denied. This allows to turn off module
- # load and unload operations on modular kernels. It is recommended to turn
- # this on for most services that do not need special file systems or extra
- # kernel modules to work.
- ##safer##ProtectKernelModules=true
- # Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
- # /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq
- # will be made read-only to all processes of the unit. Usually, tunable
- # kernel variables should only be written at boot-time, with the sysctl.d(5)
- # mechanism. Almost no services need to write to these at runtime; it is hence
- # recommended to turn this on for most services.
- ##safer##ProtectKernelTunables=true
- # The Linux Control Groups (cgroups(7)) hierarchies accessible through
- # /sys/fs/cgroup will be made read-only to all processes of the unit.
- # Except for container managers no services should require write access
- # to the control groups hierarchies; it is hence recommended to turn this
- # on for most services
- ##safer##ProtectControlGroups=true
- # Any attempts to enable realtime scheduling in a process of the unit are
- # refused.
- ##safer##RestrictRealtime=true
- # Takes away the ability to create or manage any kind of namespace
- ##safer##RestrictNamespaces=true
- [Install]
- WantedBy=multi-user.target
|
