cronekorkn/left4me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(deploy/files): drop ProcSubset=pid from web reference unit

Browse source 
Mirrors ckn-bw fix: ProcSubset=pid hides /proc/sys/kernel/random/boot_id,
which journalctl needs at startup; web unit invokes journalctl for
live log streaming.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
mwiegand 2026-05-15 16:14:40 +02:00
parent 15c620f95c
commit 6cf4517a88
No known key found for this signature in database
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
deploy/files/usr/local/lib/systemd/system/left4me-web.service
View file

@ -50,8 +50,12 @@ ProtectHome=true
PrivateTmp=true
# === /proc + kernel ===
# Note: ProcSubset=pid is intentionally NOT set on the web unit.
# It hides /proc/sys/kernel/random/boot_id which journalctl reads at
# startup, and the web invokes `sudo -n left4me-journalctl` to stream
# live server logs into the UI. The server unit can keep ProcSubset=pid
# because srcds doesn't shell out to journalctl.
ProtectProc=invisible # foreign-uid /proc hidden (defense: D4)
ProcSubset=pid
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true