[Unit] Description=NGCP Panel Webapp After=network.target After=mariadb.service Requires=network.target Wants=mariadb.service [Service] Type=notify Environment="HOME=/usr/share/ngcp-panel" Environment="NPROC=1" User=www-data Group=www-data RuntimeDirectory=fastcgi RuntimeDirectoryPreserve=yes PIDFile=/run/fastcgi/ngcp-panel.pid ExecStart=/usr/share/ngcp-panel/ngcp_panel_fastcgi.pl --listen /run/fastcgi/ngcp-panel.sock --pidfile /run/fastcgi/ngcp-panel.pid --nproc $NPROC # Files + directories not directly associated are made invisible in the /proc/ file system # ProcSubset=pid # Disabled: MT#58964, to be able to read /proc/ngcp/flags/ # Processes owned by other users are hidden from /proc/ # ProtectProc=invisible # Disabled: MT#58964, to be able to read /proc/ngcp/flags/ # Service cannot modify the control group file system (via /sys/fs/cgroup) ProtectControlGroups=true # Service has no access to home directories ProtectHome=true # Service process does not receive ambient capabilities AmbientCapabilities= # Service has no access to other software's temporary files PrivateTmp=true # Service has strict read-only access to the OS file hierarchy ProtectSystem=strict # Limit write access # NOTE: we need r/w access to ngcp-panel/Catalyst tmp folder ReadWritePaths=/ngcp-data/tmp/www-data/ # NOTE: we need r/w access to /ngcp-data/spool/faxserver for sending fax ReadWritePaths=-/ngcp-data/spool/faxserver # NOTE: we need r/w access for sendmail usage with exim ReadWritePaths=-/var/spool/exim4/ ReadWritePaths=-/var/log/exim4/ ReadWritePaths=-/var/mail/ # Service has own user namespace, only root, nobody, and the uid/gid under which the service is running are mapped # NOTE: we can't have our own user namespace, as we need proper permissions e.g. to /ngcp-data/spool/faxserver PrivateUsers=false # Service user cannot leave SysV IPC objects around # NOTE: service runs as root, so option does not matter RemoveIPC=true # Files created by service are accessible only by service's own user by default UMask=0077 # NOTE: Service needs access to the host's network PrivateNetwork=false # Control access to specific device nodes by the executed processes DevicePolicy=closed # NOTE: we need network access to e.g. redis server IPAddressAllow=any # Maximum number of bytes of memory that may be locked into RAM LimitMEMLOCK=0 # NOTE: we need to allow acquisition of new privileges, otherwise sendmail fails to work NoNewPrivileges=false # {{{ # NOTE: all of the following hardenings need to stay disabled, as long as we use the # sendmail(1) interface via perl's Email::Sender::Transport::Sendmail library #CapabilityBoundingSet= #LockPersonality=true #MemoryDenyWriteExecute=true #PrivateDevices=true #ProtectClock=true #ProtectHostname=true #ProtectKernelLogs=true #ProtectKernelModules=true #ProtectKernelTunables=true #RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 #RestrictNamespaces=true #RestrictRealtime=true #RestrictSUIDSGID=true #SystemCallArchitectures=native # Restrict system calls that are allowed to be executed # NOTE: @system-service => reasonable set of system calls used by common system services #SystemCallFilter=@system-service # NOTE: return with ENOSYS instead of terminating the process immediately #SystemCallErrorNumber=ENOSYS # All system calls except the listed ones will be logged #SystemCallLog=~@system-service seccomp # }}} [Install] WantedBy=multi-user.target