It would be good if dictd was configure to use the systemd security features when running on systemd systms. The below are settings that I have tested and found to work. If we had dictd use all the systemd features instead of just running init.d scripts then we could make it a little stricter, we could remove CAP_SETUID CAP_SETGID and CAP_KILL for starters. I know it's close to freeze, but dictd isn't a particularly complex daemon and it won't break things badly if it has a problem. The probability of a system being pwned via dictd is very low but it would be good to get the "systemd-analyze security" score for Debian as low as possible. [Service] CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_KILL CAP_SYS_PTRACE SystemCallFilter=~@mount @cpu-emulation @debug @raw-io @reboot @resources @swap @module @obsolete @clock ProtectSystem=strict ProtectProc=invisible SystemCallArchitectures=native DevicePolicy=closed UMask=077 NoNewPrivileges=true ProtectKernelLogs=true ProtectControlGroups=true ProtectKernelModules=true ProtectSystem=true ProtectHome=true PrivateTmp=true MemoryDenyWriteExecute=true ProtectHostname=true LockPersonality=true RestrictRealtime=true RestrictSUIDSGID=true ProtectClock=true RestrictNamespaces=true RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX