summaryrefslogtreecommitdiffstats
path: root/system/netdata.service.in
diff options
context:
space:
mode:
Diffstat (limited to 'system/netdata.service.in')
-rw-r--r--system/netdata.service.in18
1 files changed, 14 insertions, 4 deletions
diff --git a/system/netdata.service.in b/system/netdata.service.in
index 65e33cec29..0dd6eba38d 100644
--- a/system/netdata.service.in
+++ b/system/netdata.service.in
@@ -5,13 +5,23 @@ After=network.target httpd.service squid.service nfs-server.service mysqld.servi
[Service]
Type=forking
WorkingDirectory=/tmp
-User=root
-Group=root
-PIDFile=@localstatedir_POST@/run/netdata.pid
-ExecStart=@sbindir_POST@/netdata -P @localstatedir_POST@/run/netdata.pid
+User=netdata
+Group=netdata
+RuntimeDirectory=netdata
+PIDFile=@localstatedir_POST@/run/netdata/netdata.pid
+ExecStart=@sbindir_POST@/netdata -P @localstatedir_POST@/run/netdata/netdata.pid
KillMode=mixed
KillSignal=SIGTERM
TimeoutStopSec=30
+#Hardening
+AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+PrivateTmp=true
+ProtectSystem=full
+ProtectHome=read-only
+#NoNewPrivileges=true is implicitly set by the MemoryDenyWriteExecute=true
+MemoryDenyWriteExecute=true
+
[Install]
WantedBy=multi-user.target
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-08 03:04:34 +0000