blob: 3da4b422f5d9c7cb22360650ef357ff43d9b5db8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
diff --git a/debian/freeradius.service b/debian/freeradius.service
index 99873c0..97efc66 100644
--- a/debian/freeradius.service
+++ b/debian/freeradius.service
@@ -17,12 +17,26 @@ Environment=HOSTNAME=%H
# a leak somewhere.
MemoryLimit=2G
-RuntimeDirectory=freeradius
+RuntimeDirectory=radiusd
RuntimeDirectoryMode=0775
-ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout
-ExecStart=/usr/sbin/freeradius $FREERADIUS_OPTIONS
+Group=radius
+User=radius
+ExecStartPre=/usr/sbin/radiusd $RADIUSD_OPTS -Cx -lstdout
+ExecStart=/usr/sbin/radiusd -f $RADIUSD_OPTS
+ExecReload=/usr/sbin/radiusd -C $RADIUSD_OPTS
+ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=5
+ReadOnlyDirectories=/etc/raddb/
+ReadWriteDirectories=/var/log/radius/
+# Security options (https://github.com/FreeRADIUS/freeradius-server/issues/2637)
+NoNewPrivileges=true
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target
|
