yggdrasil-network/yggdrasil-go
1
0
Fork 0
mirror of https://github.com/yggdrasil-network/yggdrasil-go.git synced 2025-04-29 14:45:07 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update to make systemd create the user

Browse source 
Also use some stricter security features systemd provides.

This change from github user John Goerzen @jgoerzen as provided
in his comment:
https://github.com/yggdrasil-network/yggdrasil-go/pull/816#issuecomment-1006679721

ProtectSystem=strict prevents it from modifying basically anything on
the filesystem, so therefore we have to specify the possible locations
for the runtime directory under ReadWritePaths.
This commit is contained in:
TomZ 2022-01-09 15:37:31 +01:00
parent 0c7abaaffb
commit 2fbfa4dcb4
2 changed files with 6 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
contrib/systemd/yggdrasil.service
View file

@ -6,8 +6,6 @@ After=network-online.target
After=yggdrasil-default-config.service After=yggdrasil-default-config.service
[Service] [Service]
User=yggdrasil
Group=yggdrasil
ProtectHome=true ProtectHome=true
ProtectSystem=true ProtectSystem=true
SyslogIdentifier=yggdrasil SyslogIdentifier=yggdrasil
@ -16,6 +14,12 @@ ExecStart=/usr/bin/yggdrasil -useconffile /etc/yggdrasil.conf
ExecReload=/bin/kill -HUP $MAINPID ExecReload=/bin/kill -HUP $MAINPID
Restart=always Restart=always
TimeoutStopSec=5 TimeoutStopSec=5
Group=yggdrasil
User=yggdrasil-dyn
DynamicUser=true
ProtectSystem=strict
NoNewPrivileges=true
ReadWritePaths=/var/run/yggdrasil /run/yggdrasil
# make sure /var/run/yggdrasil/ is created writable for the user. # make sure /var/run/yggdrasil/ is created writable for the user.
RuntimeDirectory=yggdrasil RuntimeDirectory=yggdrasil

1
contrib/systemd/yggdrasil.sysusers
View file

@ -1 +0,0 @@
u yggdrasil - "Yggdrasil network daemon"