[arch-commits] Commit in couchdb/trunk (PKGBUILD couchdb.service)

Bruno Pagani archange at gemini.archlinux.org
Sun Jul 25 01:24:07 UTC 2021 

    Date: Sunday, July 25, 2021 @ 01:24:07
  Author: archange
Revision: 984931

Harden systemd service a bit more

Modified:
  couchdb/trunk/PKGBUILD
  couchdb/trunk/couchdb.service

-----------------+
 PKGBUILD        |   14 +++++++-------
 couchdb.service |   23 +++++++++++++++++------
 2 files changed, 24 insertions(+), 13 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2021-07-25 01:20:20 UTC (rev 984930)
+++ PKGBUILD	2021-07-25 01:24:07 UTC (rev 984931)
@@ -5,7 +5,7 @@
 
 pkgname=couchdb
 pkgver=3.1.1
-pkgrel=3
+pkgrel=2
 pkgdesc="Document-oriented database that can be queried and indexed in a MapReduce fashion using JSON"
 arch=(x86_64)
 url="https://couchdb.apache.org"
@@ -19,12 +19,12 @@
         couchdb.sysusers
         couchdb.tmpfiles
         datadirs.ini)
-sha256sums=(8ffe766bba2ba39a7b49689a0732afacf69caffdf8e2d95447e82fb173c78ca3
-            SKIP
-            293fe7ce16de6feb5927bf151360c7441f427f1d6bec73bc9ecb1e530be2b93a
-            3ed1ad2a37a068ce194b03fb72eb35285d60fa7faf2d2c2bb710703d229108a8
-            0ce806cbc5e18e60b17be9fd2cdbd4c7f12cc84ca95b079efdede16ddb5f3efd
-            937ca3498aab47b3f2226d027fa8a1a95de55cbb463373099e28cb9a6c7046ac)
+sha256sums=('8ffe766bba2ba39a7b49689a0732afacf69caffdf8e2d95447e82fb173c78ca3'
+            'SKIP'
+            '38f3e489c031b8c6eacd8b9da3ca91362d7929e8f5e3c8b0e4cf5401c67bf7bb'
+            '3ed1ad2a37a068ce194b03fb72eb35285d60fa7faf2d2c2bb710703d229108a8'
+            '0ce806cbc5e18e60b17be9fd2cdbd4c7f12cc84ca95b079efdede16ddb5f3efd'
+            '937ca3498aab47b3f2226d027fa8a1a95de55cbb463373099e28cb9a6c7046ac')
 validpgpkeys=(2EC788AE3F239FA13E82D215CDE711289384AE37  # Joan Touzet (CODE SIGNING KEY) <wohali at apache.org>
               D2B17F9DA23C0A10991AF2E3D9EE01E47852AEE4) # Jan Lehnardt <jan at apache.org>
 

Modified: couchdb.service
===================================================================
--- couchdb.service	2021-07-25 01:20:20 UTC (rev 984930)
+++ couchdb.service	2021-07-25 01:24:07 UTC (rev 984931)
@@ -9,23 +9,34 @@
 StateDirectory=couchdb
 Environment="ERL_FLAGS=-couch_ini /usr/lib/couchdb/etc/default.ini /usr/lib/couchdb/etc/datadirs.ini /etc/couchdb/local.ini"
 ExecStart=/usr/lib/couchdb/bin/couchdb
+ReadWritePaths=/etc/couchdb/local.ini
 Restart=always
 RestartSec=2s
+AmbientCapabilities=
 CapabilityBoundingSet=
+LockPersonality=true
+# Not compatible with the use of JS
+#MemoryDenyWriteExecute=true
 NoNewPrivileges=True
-PrivateUsers=true
 PrivateDevices=true
 PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=yes
 ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=yes
+ProtectKernelTunables=true
+ProtectProc=invisible
 ProtectSystem=strict
-ProtectControlGroups=yes
-ProtectKernelTunables=true
-ProtectKernelModules=yes
-ReadWritePaths=/etc/couchdb/local.ini
-LockPersonality=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
 RestrictRealtime=true
+RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 
 [Install]
 WantedBy=multi-user.target

More information about the arch-commits mailing list