ifcurl-preview.service: fix cache path for non-root service user

Use CacheDirectory=ifcurl (systemd creates /var/cache/ifcurl owned by the
service user) and XDG_CACHE_HOME=/var/cache so platformdirs resolves to
that path.  Remove the /root/.cache/ifcurl ReadWritePaths entry which was
inaccessible to the unprivileged ifcurl user.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bruno Postle 2026-04-24 21:48:58 +01:00
parent df92114cda
commit 275e74cce8

View file

@ -47,12 +47,14 @@ RestartSec=5
# AF_UNIX is excluded so a compromised subprocess cannot connect to the # AF_UNIX is excluded so a compromised subprocess cannot connect to the
# Forgejo Unix socket if one is present. # Forgejo Unix socket if one is present.
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
Environment=XDG_CACHE_HOME=/var/cache
CacheDirectory=ifcurl
NoNewPrivileges=yes NoNewPrivileges=yes
RestrictSUIDSGID=yes RestrictSUIDSGID=yes
PrivateTmp=yes PrivateTmp=yes
ProtectSystem=strict ProtectSystem=strict
ProtectHome=yes ProtectHome=yes
ReadWritePaths=/var/cache/ifcurl /root/.cache/ifcurl ReadWritePaths=/var/cache/ifcurl
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectControlGroups=yes ProtectControlGroups=yes