Use PrivateTmp=true on systemd services

Using a private tmp directory improves security.

Author: ekohl

CHANGELOG.md

@@ -7,6 +7,7 @@ This changelog adheres to [Keep a CHANGELOG](http://keepachangelog.com/).
 * Drop platform 6 fpm support
 * On all Debian platforms simplify java depends, allow 17 or 11, prefer 17
 * Add Debian 12 bookworm as a FOSS build target
+* Use systemd's PrivateTmp feature for improved security
 
 ## [2.6.1]
 * Fix the ability to add a resources directory to a project with :include-dir by copying the resources to the staging directory directly.

resources/puppetlabs/lein-ezbake/template/global/ext/debian/ezbake.service.erb

@@ -27,6 +27,7 @@ TimeoutStopSec=<%= EZBake::Config[:stop_timeout] %>
 Restart=on-failure
 StartLimitBurst=5
 PIDFile=/run/puppetlabs/<%= EZBake::Config[:real_name] %>/<%= EZBake::Config[:real_name] %>.pid
+PrivateTmp=true
 
 # https://tickets.puppetlabs.com/browse/EZ-129
 # Prior to systemd v228, TasksMax was unset by default, and unlimited. Starting in 228 a default of '512'

resources/puppetlabs/lein-ezbake/template/global/ext/redhat/ezbake.service.erb

@@ -27,6 +27,7 @@ TimeoutStopSec=<%= EZBake::Config[:stop_timeout] %>
 Restart=on-failure
 StartLimitBurst=5
 PIDFile=/run/puppetlabs/<%= EZBake::Config[:real_name] %>/<%= EZBake::Config[:real_name] %>.pid
+PrivateTmp=true
 
 # https://tickets.puppetlabs.com/browse/EZ-129
 # Prior to systemd v228, TasksMax was unset by default, and unlimited. Starting in 228 a default of '512'