Add comment about MemoryDenyWriteExecute value and the tradeoffs thereof.

This commit is contained in:
Dan Helfman 2020-08-23 14:11:19 -07:00
parent 32a93ce8a2
commit 9b83fcbf06

View file

@ -11,6 +11,8 @@ Type=oneshot
# For more details about this settings check the systemd manuals
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
LockPersonality=true
# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
# But you can try setting it to "yes" for improved security if you don't use those features.
MemoryDenyWriteExecute=no
NoNewPrivileges=yes
PrivateDevices=yes