From 275e74cce88cfe6a6b013d64e679b035e0ae2f11 Mon Sep 17 00:00:00 2001 From: Bruno Postle Date: Fri, 24 Apr 2026 21:48:58 +0100 Subject: [PATCH] ifcurl-preview.service: fix cache path for non-root service user Use CacheDirectory=ifcurl (systemd creates /var/cache/ifcurl owned by the service user) and XDG_CACHE_HOME=/var/cache so platformdirs resolves to that path. Remove the /root/.cache/ifcurl ReadWritePaths entry which was inaccessible to the unprivileged ifcurl user. Co-Authored-By: Claude Sonnet 4.6 --- forgejo/server-config/ifcurl-preview.service | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/forgejo/server-config/ifcurl-preview.service b/forgejo/server-config/ifcurl-preview.service index b235188..8f06e51 100644 --- a/forgejo/server-config/ifcurl-preview.service +++ b/forgejo/server-config/ifcurl-preview.service @@ -47,12 +47,14 @@ RestartSec=5 # AF_UNIX is excluded so a compromised subprocess cannot connect to the # Forgejo Unix socket if one is present. # --------------------------------------------------------------------------- +Environment=XDG_CACHE_HOME=/var/cache +CacheDirectory=ifcurl NoNewPrivileges=yes RestrictSUIDSGID=yes PrivateTmp=yes ProtectSystem=strict ProtectHome=yes -ReadWritePaths=/var/cache/ifcurl /root/.cache/ifcurl +ReadWritePaths=/var/cache/ifcurl ProtectKernelTunables=yes ProtectKernelModules=yes ProtectControlGroups=yes