Update systemd .service example

First, ProtectSystem=strict will make the entire file system hierarchy (except
/dev, /proc/ and /sys) read-only, so separate ReadOnlyPaths= is not necessary.

Second, ProtectHome=tmpfs will not just mount an empty tmpfs on /root, but also
on /home and /run/user. As it's likely quite common to want to backup /home,
this seems like a footgun.

Finally, it's quite likely that borgbackup will want access to root's SSH keys
in order to connect to remote backup servers.

Note that all these options are commented out by default, so this is more of
a documentation change than any real change in functionality.
This commit is contained in:
David Härdeman 2023-10-15 11:30:11 +02:00
parent 487d8ffd32
commit 2f3c0bec5b

View file

@ -32,16 +32,16 @@ RestrictSUIDSGID=yes
SystemCallArchitectures=native SystemCallArchitectures=native
SystemCallFilter=@system-service SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM SystemCallErrorNumber=EPERM
# To restrict write access further, change "ProtectSystem" to "strict" and uncomment # To restrict write access further, change "ProtectSystem" to "strict" and
# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository # uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and
# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This # "BindReadOnlyPaths". Then add any local repository paths to the list of
# leaves most of the filesystem read-only to borgmatic. # "ReadWritePaths". This leaves most of the filesystem read-only to borgmatic.
ProtectSystem=full ProtectSystem=full
# ReadWritePaths=-/mnt/my_backup_drive # ReadWritePaths=-/mnt/my_backup_drive
# ReadOnlyPaths=-/var/lib/my_backup_source
# This will mount a tmpfs on top of /root and pass through needed paths # This will mount a tmpfs on top of /root and pass through needed paths
# ProtectHome=tmpfs # TemporaryFileSystem=/root:ro
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic # BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
# BindReadOnlyPaths=-/root/.ssh
# May interfere with running external programs within borgmatic hooks. # May interfere with running external programs within borgmatic hooks.
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW