Hardening daemons using systemd settings

[kalpana]

Systemd service files allow for restricting the access rights of the daemon it starts. Take for instance cupsd; it runs as root but access to the filesystem can be limited by adding these lines to the unit file:

ReadOnlyPaths=/
ReadWritePaths=/var/cache/cups /etc/cups /run/cups /var/log/cups

A lot more restrictions can be added; see systemd.exec(5).

I maintain my patched unit files in /usr/local/lib/systemd/system where they don't get overwritten when I update the system.

Now my question: Has anybody done a similar thing? Anything on github?