X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=28e02ce089f63edc39362f7123610f77bc3ad578;hb=e958999a4ab6fddd723270b596b4899c0811fa41;hp=13f99478e6a7ffb2d85d59a79984522a7dbac57a;hpb=62dede3e7ad2c0ee566145f3efabf1fd23df46a7;p=distro-setup

diff --git a/mail-setup b/mail-setup
index 13f9947..28e02ce 100755
--- a/mail-setup
+++ b/mail-setup
@@ -3,9 +3,6 @@
 # Copyright (C) 2019 Ian Kelling
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-# todo: sandbox / harden exim:
-#  restrict its filesystem access from within systemd
-
 #  todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it.
 #  todo: consider hardening cups listening on 0.0.0.0
 #  todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use.
@@ -2355,6 +2352,19 @@ case $HOSTNAME in
 [Service]
 # see 56.2 Root privilege in exim spec
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+# https://www.redhat.com/sysadmin/mastering-systemd
+# things that seem good and reasonabl.e
+PrivateTmp=yes
+ProtectHome=yes
+# note, in t10 systemd, if one of these is an sshfs mountpoint,
+# this whole setting doesnt work. tried it with a newer systemd 250 though
+# an nspawn, and it worked there.
+InaccessiblePaths=d m media mnt nocow o p q
+NoNewPrivileges=yes
+ProtectSystem=yes
+
+# when we get newer systemd
+#ProtectDevices=yes
 EOF
     i /etc/exim4/conf.d/main/000_local-noroot <<'EOF'
 # see 56.2 Root privilege in exim spec