From 56b9523d88ec0eeaa1f3c65b8a250132a36fc074 Mon Sep 17 00:00:00 2001 From: mwiegand Date: Thu, 7 May 2026 01:51:39 +0200 Subject: [PATCH] fix(deploy): drop NoNewPrivileges on web service so FUSE mounts work The job worker calls fusermount3 (setuid-root) to mount per-instance FUSE overlays and sudo to invoke the privileged systemctl wrapper. NoNewPrivileges=true blocks both, surfacing as "fusermount3: mount failed: Operation not permitted" the first time a server is started. Hardening is still enforced via dedicated user, PrivateTmp, ProtectSystem=full, ReadWritePaths, and the narrow sudoers allowlist limited to two helper scripts. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../files/usr/local/lib/systemd/system/left4me-web.service | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/deploy/files/usr/local/lib/systemd/system/left4me-web.service b/deploy/files/usr/local/lib/systemd/system/left4me-web.service index 079efe0..0cfef4b 100644 --- a/deploy/files/usr/local/lib/systemd/system/left4me-web.service +++ b/deploy/files/usr/local/lib/systemd/system/left4me-web.service @@ -15,7 +15,10 @@ EnvironmentFile=/etc/left4me/web.env ExecStart=/opt/left4me/.venv/bin/gunicorn --workers 1 --threads 8 --bind 0.0.0.0:8000 'l4d2web.app:create_app()' Restart=on-failure RestartSec=3 -NoNewPrivileges=true +# NoNewPrivileges intentionally not set: the worker invokes fusermount3 +# (setuid-root) to mount FUSE overlays and sudo to run the systemctl +# wrapper. NoNewPrivileges blocks both. Hardening is still provided by +# dedicated user, PrivateTmp, ProtectSystem=full, and narrow sudoers. PrivateTmp=true ProtectSystem=full ReadWritePaths=/var/lib/left4me