1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
[Unit]
Description=GSSAPI Proxy Daemon
# GSSPROXY will not be started until syslog is
After=syslog.target network.target
Before=rpc-gssd.service
[Service]
StateDirectory=gssproxy/clients gssproxy/rcache
Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache
ExecStart=@sbindir@/gssproxy -D
# These two should be used with traditional UNIX forking daemons
# consult systemd.service(5) for more details
Type=forking
PIDFile=/run/gssproxy.pid
ExecReload=/bin/kill -HUP $MAINPID
ProtectSystem=full
ProtectClock=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# NoNewPrivileges: when true breaks the ability to open a socket
# under /var/lib/gssproxy so no NoNewPrivileges
# PrivateTmp: can't be used as it hides ccaches stored in /tmp
# ProtectHome: blocks access to /home which may hold ccaches
# ProtectHostname: blocks propagation of hostname on change
# but in some cases, when using a keytab, we may want to see hostname
# changes as the server will want to respond only for the system name
# ProtectKernelTunables: blocks ability to write to proc.
# on startup gssproxy needs to write in proc to let nfsd know it can
# use the "new" gssproxy method instead of the old rpc stuff.
[Install]
WantedBy=multi-user.target
|
