Commit Graph

12 Commits

Author SHA1 Message Date
niol be67b33f42
systemd service documentation key (#6781)
Co-authored-by: Barak A. Pearlmutter <barak+git@pearlmutter.net>
2024-05-25 11:51:51 -05:00
LaserEyess b562983cbd
Harden systemd service (#6391)
This commit includes strict, but still compatible, service hardening for
transmission-daemon.service. The main goal is a defense-in-depth
strategy that protects users from unknown vulnerabilities in
transmission.

In practice, transmission does not use any of the features that are
blocked in this hardening. However, this is still a network facing
daemon that, by design, accepts connections from unknown peers. So
better safe than sorry.

This commit also installs the service via CMake

Co-authored-by: LaserEyess <LaserEyess@users.noreply.github.com>
2023-12-24 20:48:18 -06:00
Robin Seth Ekman 9eeb3db89c
daemon: deprecated --log-error -> --log-level=error (#3201) 2022-06-05 01:13:11 -05:00
FallenWarrior2k e7272fc340
fix(daemon): wait for network-online.target (#2721)
network.target does not guarantee interfaces are fully configured, which
can result in bound addresses not being available when the daemon
starts. This leads to errors on start-up and potentially broken
connectivity.
network-online.target does provide these guarantees, but needs a
slightly different dependency configuration with Wants= on top of After=
(cf. systemd.special(7)).

Closes #2720.
2022-02-28 19:25:07 -08:00
Jelle van der Waa 18b8e98e3f
Add ProtectSystem and PrivateTmp to systemd service (#1452)
ProtectSystem mounts /boot, /efi and /usr as read only, basically
disallowing the daemon from ever writing there. PrivateTmp sets up a
file system namespace for /tmp and /var/tmp/ basically hiding it from
other processes.

Co-authored-by: Charles Kerr <charles@charleskerr.com>
2022-02-13 14:06:55 -06:00
Craig Andrews 56dab2bd18
daemon: deny memory wx in transmission-daemon.service (#2573)
Attempts to create memory mappings that are writable and executable at the same time, or to change existing memory mappings to become executable, or mapping shared memory segments as executable are prohibited.

There's no reason transmission should be doing that. If it does, it's because of malicious code exploiting a vulnerability.

See: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=
2022-02-04 22:08:51 -06:00
Jelle van der Waa d1d060c3a9 daemon: harden transmission-daemon.service
Systemd 227 introduced the option to make a service disallow elevating
privileges.
2018-12-28 22:47:16 +01:00
Jordan Lee 72f9cb7112 (trunk, daemon) #5503: add an ExecReload rule to the systemd service file. 2014-01-21 02:19:48 +00:00
Jordan Lee 2db09dad54 add After=network.target as suggested by upstream arch bug #31478 2013-07-15 23:49:04 +00:00
Jordan Lee ea19848067 don't hardcode the config dir, as discussed in ticket #4503 comments 17, 19 2013-06-09 22:52:33 +00:00
Jordan Lee d1db86eba9 in transmission-daemon.service, remove unnecessary comments and change Type from simple to notify since transmission-daemon uses sd_notify() 2013-06-09 19:54:58 +00:00
Jordan Lee a7d9f17b22 (trunk daemon) add a systemd service file for transmission-daemon.
Suggestions / improvements welcomed at https://trac.transmissionbt.com/ticket/4503
2013-06-09 18:18:09 +00:00