diff options
| -rw-r--r-- | contrib/init/bitcoind.service | 12 | ||||
| -rw-r--r-- | doc/init.md | 10 |
2 files changed, 15 insertions, 7 deletions
diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service index cfc5f77580..34c3e7b3ab 100644 --- a/contrib/init/bitcoind.service +++ b/contrib/init/bitcoind.service @@ -5,8 +5,9 @@ # See "man systemd.service" for details. # Note that almost all daemon options could be specified in -# /etc/bitcoin/bitcoin.conf, except for those explicitly specified as arguments -# in ExecStart= +# /etc/bitcoin/bitcoin.conf, but keep in mind those explicitly +# specified as arguments in ExecStart= will override those in the +# config file. [Unit] Description=Bitcoin daemon @@ -18,6 +19,10 @@ ExecStart=/usr/bin/bitcoind -daemon \ -conf=/etc/bitcoin/bitcoin.conf \ -datadir=/var/lib/bitcoind +# Make sure the config directory is readable by the service user +PermissionsStartOnly=true +ExecStartPre=/bin/chgrp bitcoin /etc/bitcoin + # Process management #################### @@ -53,6 +58,9 @@ PrivateTmp=true # Mount /usr, /boot/ and /etc read-only for the process. ProtectSystem=full +# Deny access to /home, /root and /run/user +ProtectHome=true + # Disallow the process and all of its children to gain # new privileges through execve(). NoNewPrivileges=true diff --git a/doc/init.md b/doc/init.md index a6c9bb94d8..87e939c636 100644 --- a/doc/init.md +++ b/doc/init.md @@ -59,11 +59,11 @@ Data directory: `/var/lib/bitcoind` PID file: `/var/run/bitcoind/bitcoind.pid` (OpenRC and Upstart) or `/run/bitcoind/bitcoind.pid` (systemd) Lock file: `/var/lock/subsys/bitcoind` (CentOS) -The configuration file, PID directory (if applicable) and data directory -should all be owned by the bitcoin user and group. It is advised for security -reasons to make the configuration file and data directory only readable by the -bitcoin user and group. Access to bitcoin-cli and other bitcoind rpc clients -can then be controlled by group membership. +The PID directory (if applicable) and data directory should both be owned by the +bitcoin user and group. It is advised for security reasons to make the +configuration file and data directory only readable by the bitcoin user and +group. Access to bitcoin-cli and other bitcoind rpc clients can then be +controlled by group membership. NOTE: When using the systemd .service file, the creation of the aforementioned directories and the setting of their permissions is automatically handled by |