From 2fbfa4dcb452f7daca59e5263340e9a0cd9baf0e Mon Sep 17 00:00:00 2001 From: TomZ Date: Sun, 9 Jan 2022 15:37:31 +0100 Subject: [PATCH] Update to make systemd create the user Also use some stricter security features systemd provides. This change from github user John Goerzen @jgoerzen as provided in his comment: https://github.com/yggdrasil-network/yggdrasil-go/pull/816#issuecomment-1006679721 ProtectSystem=strict prevents it from modifying basically anything on the filesystem, so therefore we have to specify the possible locations for the runtime directory under ReadWritePaths. --- contrib/systemd/yggdrasil.service | 8 ++++++-- contrib/systemd/yggdrasil.sysusers | 1 - 2 files changed, 6 insertions(+), 3 deletions(-) delete mode 100644 contrib/systemd/yggdrasil.sysusers diff --git a/contrib/systemd/yggdrasil.service b/contrib/systemd/yggdrasil.service index f824cf02..8115fd62 100644 --- a/contrib/systemd/yggdrasil.service +++ b/contrib/systemd/yggdrasil.service @@ -6,8 +6,6 @@ After=network-online.target After=yggdrasil-default-config.service [Service] -User=yggdrasil -Group=yggdrasil ProtectHome=true ProtectSystem=true SyslogIdentifier=yggdrasil @@ -16,6 +14,12 @@ ExecStart=/usr/bin/yggdrasil -useconffile /etc/yggdrasil.conf ExecReload=/bin/kill -HUP $MAINPID Restart=always TimeoutStopSec=5 +Group=yggdrasil +User=yggdrasil-dyn +DynamicUser=true +ProtectSystem=strict +NoNewPrivileges=true +ReadWritePaths=/var/run/yggdrasil /run/yggdrasil # make sure /var/run/yggdrasil/ is created writable for the user. RuntimeDirectory=yggdrasil diff --git a/contrib/systemd/yggdrasil.sysusers b/contrib/systemd/yggdrasil.sysusers deleted file mode 100644 index 1cea8959..00000000 --- a/contrib/systemd/yggdrasil.sysusers +++ /dev/null @@ -1 +0,0 @@ -u yggdrasil - "Yggdrasil network daemon"