cronekorkn/left4me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(deploy): drop NoNewPrivileges on web service so FUSE mounts work

Browse source 
The job worker calls fusermount3 (setuid-root) to mount per-instance
FUSE overlays and sudo to invoke the privileged systemctl wrapper.
NoNewPrivileges=true blocks both, surfacing as
"fusermount3: mount failed: Operation not permitted" the first time a
server is started. Hardening is still enforced via dedicated user,
PrivateTmp, ProtectSystem=full, ReadWritePaths, and the narrow sudoers
allowlist limited to two helper scripts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
mwiegand 2026-05-07 01:51:39 +02:00
parent d14ed9c117
commit 56b9523d88
No known key found for this signature in database
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
deploy/files/usr/local/lib/systemd/system/left4me-web.service
View file

@ -15,7 +15,10 @@ EnvironmentFile=/etc/left4me/web.env
ExecStart=/opt/left4me/.venv/bin/gunicorn --workers 1 --threads 8 --bind 0.0.0.0:8000 'l4d2web.app:create_app()' ExecStart=/opt/left4me/.venv/bin/gunicorn --workers 1 --threads 8 --bind 0.0.0.0:8000 'l4d2web.app:create_app()'
Restart=on-failure Restart=on-failure
RestartSec=3 RestartSec=3
NoNewPrivileges=true # NoNewPrivileges intentionally not set: the worker invokes fusermount3
# (setuid-root) to mount FUSE overlays and sudo to run the systemctl
# wrapper. NoNewPrivileges blocks both. Hardening is still provided by
# dedicated user, PrivateTmp, ProtectSystem=full, and narrow sudoers.
PrivateTmp=true PrivateTmp=true
ProtectSystem=full ProtectSystem=full
ReadWritePaths=/var/lib/left4me ReadWritePaths=/var/lib/left4me