From 1004500d655f969ad52a38bc5264dc3b3ceaa681 Mon Sep 17 00:00:00 2001 From: Dan Helfman Date: Mon, 11 Oct 2021 09:33:07 -0700 Subject: [PATCH] Update sample systemd service file comments about more granular read-only filesystem settings. --- NEWS | 1 + sample/systemd/borgmatic.service | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index bbcb209f..48f39f13 100644 --- a/NEWS +++ b/NEWS @@ -1,4 +1,5 @@ 1.5.19.dev0 + * Update sample systemd service file with more granular read-only filesystem settings. * Move Gitea and GitHub hosting from a personal namespace to an organization for better collaboration with related projects. * 1k ★s on GitHub! diff --git a/sample/systemd/borgmatic.service b/sample/systemd/borgmatic.service index b6adda96..d025785b 100644 --- a/sample/systemd/borgmatic.service +++ b/sample/systemd/borgmatic.service @@ -32,10 +32,10 @@ RestrictSUIDSGID=yes SystemCallArchitectures=native SystemCallFilter=@system-service SystemCallErrorNumber=EPERM -# Restrict write access -# Change to 'ProtectSystem=strict' and uncomment 'ProtectHome' to make the whole file -# system read-only be default and uncomment 'ReadWritePaths' for the required write access. -# Add local repositroy paths to the list of 'ReadWritePaths' like '-/mnt/my_backup_drive'. +# To restrict write access further, change "ProtectSystem" to "strict" and uncomment +# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository +# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This +# leaves most of the filesystem read-only to borgmatic. ProtectSystem=full # ReadWritePaths=-/mnt/my_backup_drive # ReadOnlyPaths=-/var/lib/my_backup_source