summaryrefslogtreecommitdiffstats
path: root/debian/freeradius.service
blob: e40b858d72780fe868f90b7165190283b22ea0e1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
[Unit]
Description=FreeRADIUS multi-protocol policy server
After=network-online.target
Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/

[Service]
Type=notify
WatchdogSec=60
NotifyAccess=all
EnvironmentFile=-/etc/default/freeradius

# FreeRADIUS can do static evaluation of policy language rules based
# on environmental variables which is very useful for doing per-host
# customization.
# Unfortunately systemd does not allow variable substitutions such
# as %H or $(hostname) in the EnvironmentFile.
# We provide HOSTNAME here for convenience.
Environment=HOSTNAME=%H

# Limit memory to 2G this is fine for %99.99 of deployments.  FreeRADIUS
# is not memory hungry, if it's using more than this, then there's probably
# a leak somewhere.
MemoryMax=2G

# Ensure the daemon can still write its pidfile after it drops
# privileges. Combination of options that work on a variety of
# systems. Test very carefully if you alter these lines.
RuntimeDirectory=freeradius
RuntimeDirectoryMode=0775
User=freerad
Group=freerad

ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout
ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS
Restart=on-failure
RestartSec=5
ExecReload=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cxm -lstdout
ExecReload=/bin/kill -HUP $MAINPID

#  Don't elevate privileges after starting
NoNewPrivileges=true

# Allow binding to secure ports, broadcast addresses, and raw interfaces.
#AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE

# Private /tmp that isn't shared by other processes
PrivateTmp=true

# cgroups are readable only by radiusd, and child processes
ProtectControlGroups=true

# don't load new kernel modules
ProtectKernelModules=true

# don't tune kernel parameters
ProtectKernelTunables=true

# Only allow native system calls
SystemCallArchitectures=native

# We shouldn't be writing to the configuration directory
ReadOnlyDirectories=/etc/freeradius/

# We can read and write to the log directory.
ReadWriteDirectories=/var/log/freeradius/

[Install]
WantedBy=multi-user.target