From 593611e194be6243fb71b4d5838f34919d4cf74b Mon Sep 17 00:00:00 2001 From: mwiegand Date: Thu, 7 May 2026 01:57:43 +0200 Subject: [PATCH] fix(deploy): drop PrivateTmp on web service so fuse mounts propagate PrivateTmp=true gives the unit a private mount namespace. The worker's fuse-overlayfs mount lives only inside that namespace, so the host cannot see it and the gameserver unit (started via systemctl, with its own namespace inherited from the host) also cannot see it. The gameserver unit then fails CHDIR on /var/lib/left4me/runtime//merged/left4dead2. The mount must land in the host namespace so the gameserver unit inherits it at unshare time. Remaining hardening: dedicated user, ProtectSystem=full, ReadWritePaths, sudoers allowlist limited to two helper scripts. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../usr/local/lib/systemd/system/left4me-web.service | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/deploy/files/usr/local/lib/systemd/system/left4me-web.service b/deploy/files/usr/local/lib/systemd/system/left4me-web.service index 0cfef4b..c6d6477 100644 --- a/deploy/files/usr/local/lib/systemd/system/left4me-web.service +++ b/deploy/files/usr/local/lib/systemd/system/left4me-web.service @@ -16,10 +16,13 @@ ExecStart=/opt/left4me/.venv/bin/gunicorn --workers 1 --threads 8 --bind 0.0.0.0 Restart=on-failure RestartSec=3 # NoNewPrivileges intentionally not set: the worker invokes fusermount3 -# (setuid-root) to mount FUSE overlays and sudo to run the systemctl -# wrapper. NoNewPrivileges blocks both. Hardening is still provided by -# dedicated user, PrivateTmp, ProtectSystem=full, and narrow sudoers. -PrivateTmp=true +# (setuid-root) and sudo to run the systemctl wrapper. +# PrivateTmp intentionally not set: it creates a private mount +# namespace, which would hide per-instance fuse-overlayfs mounts from +# the host and the gameserver units. The mount must land in the host +# namespace so the systemd-managed gameserver service inherits it at +# unshare time. Remaining hardening: dedicated user, ProtectSystem, +# ReadWritePaths, narrow sudoers allowlist. ProtectSystem=full ReadWritePaths=/var/lib/left4me