Use PrivateTmp=true on systemd services

Using a private tmp directory improves security.
OpenVoxProject · Feb 20, 2025 · 610bba4 · 610bba4
1 parent fe035de
commit 610bba4
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ This changelog adheres to [Keep a CHANGELOG](http://keepachangelog.com/).
 * Drop platform 6 fpm support
 * On all Debian platforms simplify java depends, allow 17 or 11, prefer 17
 * Add Debian 12 bookworm as a FOSS build target
+* Use systemd's PrivateTmp feature for improved security
 
 ## [2.6.1]
 * Fix the ability to add a resources directory to a project with :include-dir by copying the resources to the staging directory directly.

diff --git a/resources/puppetlabs/lein-ezbake/template/global/ext/debian/ezbake.service.erb b/resources/puppetlabs/lein-ezbake/template/global/ext/debian/ezbake.service.erb
@@ -27,6 +27,7 @@ TimeoutStopSec=<%= EZBake::Config[:stop_timeout] %>
 Restart=on-failure
 StartLimitBurst=5
 PIDFile=/run/puppetlabs/<%= EZBake::Config[:real_name] %>/<%= EZBake::Config[:real_name] %>.pid
+PrivateTmp=true
 
 # https://tickets.puppetlabs.com/browse/EZ-129
 # Prior to systemd v228, TasksMax was unset by default, and unlimited. Starting in 228 a default of '512'

diff --git a/resources/puppetlabs/lein-ezbake/template/global/ext/redhat/ezbake.service.erb b/resources/puppetlabs/lein-ezbake/template/global/ext/redhat/ezbake.service.erb
@@ -27,6 +27,7 @@ TimeoutStopSec=<%= EZBake::Config[:stop_timeout] %>
 Restart=on-failure
 StartLimitBurst=5
 PIDFile=/run/puppetlabs/<%= EZBake::Config[:real_name] %>/<%= EZBake::Config[:real_name] %>.pid
+PrivateTmp=true
 
 # https://tickets.puppetlabs.com/browse/EZ-129
 # Prior to systemd v228, TasksMax was unset by default, and unlimited. Starting in 228 a default of '512'