mirror of
https://github.com/brunopostle/ifcurl.git
synced 2026-07-12 02:08:13 +00:00
ifcurl-preview.service: fix cache path for non-root service user
Use CacheDirectory=ifcurl (systemd creates /var/cache/ifcurl owned by the service user) and XDG_CACHE_HOME=/var/cache so platformdirs resolves to that path. Remove the /root/.cache/ifcurl ReadWritePaths entry which was inaccessible to the unprivileged ifcurl user. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
df92114cda
commit
275e74cce8
1 changed files with 3 additions and 1 deletions
|
|
@ -47,12 +47,14 @@ RestartSec=5
|
||||||
# AF_UNIX is excluded so a compromised subprocess cannot connect to the
|
# AF_UNIX is excluded so a compromised subprocess cannot connect to the
|
||||||
# Forgejo Unix socket if one is present.
|
# Forgejo Unix socket if one is present.
|
||||||
# ---------------------------------------------------------------------------
|
# ---------------------------------------------------------------------------
|
||||||
|
Environment=XDG_CACHE_HOME=/var/cache
|
||||||
|
CacheDirectory=ifcurl
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
RestrictSUIDSGID=yes
|
RestrictSUIDSGID=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ReadWritePaths=/var/cache/ifcurl /root/.cache/ifcurl
|
ReadWritePaths=/var/cache/ifcurl
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue