A few more systemd tweaks.

NEWS.md

@@ -40,9 +40,10 @@ Protocol: 31 (unchanged)
    variable.
 
  - The default systemd config was changed to remove the `ProtectHome=on`
-   setting since rsync is often used to serve files in /home and this seemed a
-   bit too strict.  Feel free to use `systemctl edit rsync` to add that
-   restriction to your own setup, if you like.
+   setting since rsync is often used to serve files in /home and /root and this
+   seemed a bit too strict.  Feel free to use `systemctl edit rsync` to add
+   that restriction (or maybe `ProtectHome=read-only`), if you like.  See the
+   3.2.0 NEWS for the other restrictions that were added compared to 3.1.3.
 
  - The memory allocation functions now automatically check for a failure and
    die when out of memory.  This eliminated some caller-side check-and-die
@@ -103,11 +104,6 @@ Protocol: 31 (unchanged)
 
 ### ENHANCEMENTS:
 
- - The default systemd config was made a bit stricter by default.  For
-   instance, `ProtectHome=on` was added.  You can override this using the
-   standard `systemctl edit rsync` and add a line to turn that off under a
-   `[Service]` heading.
-
  - The use of `--backup-dir=STR` now implies `--backup`.
 
  - Added `--zl=NUM` as a short-hand for `--compress-level=NUM`.
@@ -201,6 +197,13 @@ Protocol: 31 (unchanged)
 
 ### ENHANCEMENTS:
 
+ - The default systemd config was made stricter by default.  For instance,
+   `ProtectHome=on` (which hides content in /root and /home/USER dirs),
+   `ProtectSystem=full` (which makes /usr, /boot, & /etc dirs read-only), and
+   `PrivateDevices=on` (which hides devices).  You can override any of these
+   using the standard `systemctl edit rsync` and add one or more directives
+   under a `[Service]` heading (and restart the rsync service).
+
  - Various checksum enhancements, including the optional use of openssl's MD4 &
    MD5 checksum algorithms, some x86-64 optimizations for the rolling checksum,
    some x86-64 optimizations for the (non-openssl) MD5 checksum, the addition

packaging/systemd/rsync.service

@@ -16,14 +16,14 @@ RestartSec=1
 #   This is generally used for public file distribution, [...]
 #
 # So let's assume some extra security is more than welcome here. We do full
-# system protection (which makes it read-only) and hide users' homes and
+# system protection (which makes /usr, /boot, & /etc read-only) and hide
 # devices. To override these defaults, it's best to do so in the drop-in
 # directory, often done via `systemctl edit rsync.service`. The file needs
 # just the bare minimum of the right [heading] and override values.
 # See systemd.unit(5) and search for "drop-in" for full details.
 
 ProtectSystem=full
-#ProtectHome=on
+#ProtectHome=on|off|read-only
 PrivateDevices=on
 NoNewPrivileges=on
 

packaging/systemd/rsync@.service

@@ -16,13 +16,13 @@ StandardError=journal
 #   This is generally used for public file distribution, [...]
 #
 # So let's assume some extra security is more than welcome here. We do full
-# system protection (which makes it read-only) and hide users' homes and
+# system protection (which makes /usr, /boot, & /etc read-only) and hide
 # devices. To override these defaults, it's best to do so in the drop-in
 # directory, often done via `systemctl edit rsync@.service`. The file needs
 # just the bare minimum of the right [heading] and override values.
 # See systemd.unit(5) and search for "drop-in" for full details.
 
 ProtectSystem=full
-#ProtectHome=on
+#ProtectHome=on|off|read-only
 PrivateDevices=on
 NoNewPrivileges=on