shadow/repos/core-x86_64/shadow.service

   1 [Unit]
   2 Description=Verify integrity of password and group files
   3 After=systemd-sysusers.service
   4
   5 [Service]
   6 CapabilityBoundingSet=CAP_DAC_READ_SEARCH
   7 # Always run both checks, but fail the service if either fails
   8 ExecStart=/bin/sh -c '/usr/bin/pwck -r || r=1; /usr/bin/grpck -r && exit $r'
   9 Nice=19
  10 IOSchedulingClass=best-effort
  11 IOSchedulingPriority=7
  12 IPAddressDeny=any
  13 LockPersonality=yes
  14 MemoryDenyWriteExecute=yes
  15 NoNewPrivileges=yes
  16 PrivateDevices=yes
  17 PrivateNetwork=yes
  18 PrivateTmp=yes
  19 ProcSubset=pid
  20 ProtectClock=yes
  21 ProtectControlGroups=yes
  22 ProtectHome=read-only
  23 ProtectHostname=yes
  24 ProtectKernelLogs=yes
  25 ProtectKernelModules=yes
  26 ProtectKernelTunables=yes
  27 ProtectProc=invisible
  28 ProtectSystem=strict
  29 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
  30 RestrictNamespaces=yes
  31 RestrictSUIDSGID=yes
  32 RestrictRealtime=yes
  33 SystemCallArchitectures=native
  34 SystemCallFilter=@system-service
  35 SystemCallFilter=~@resources
  36 SystemCallFilter=~@privileged
  37 UMask=0077