Aleksandersen: Limit the impact of a security intrusion with systemd security directives

Daniel Aleksandersen showshow to sandbox a daemon process using a set of systemd features."These directives combined would have stopped the specific remotecode execution vulnerability that afflicted OpenSMTPD. However, the keytakeaway is that you should strive to sandbox long-running andinternet-exposed services. There's no need for your webserver to be able toload a kernel module, your email server to change the hostname, or your DNSserver to launch wget and schedule reoccurring tasks with cron."