left4me

History

mwiegand 56b9523d88 fix(deploy): drop NoNewPrivileges on web service so FUSE mounts work The job worker calls fusermount3 (setuid-root) to mount per-instance FUSE overlays and sudo to invoke the privileged systemctl wrapper. NoNewPrivileges=true blocks both, surfacing as "fusermount3: mount failed: Operation not permitted" the first time a server is started. Hardening is still enforced via dedicated user, PrivateTmp, ProtectSystem=full, ReadWritePaths, and the narrow sudoers allowlist limited to two helper scripts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 01:51:39 +02:00
..
etc/sudoers.d	feat(deploy): add production-like test deployment	2026-05-06 19:30:10 +02:00
usr/local	fix(deploy): drop NoNewPrivileges on web service so FUSE mounts work	2026-05-07 01:51:39 +02:00

fix(deploy): drop NoNewPrivileges on web service so FUSE mounts work

The job worker calls fusermount3 (setuid-root) to mount per-instance
FUSE overlays and sudo to invoke the privileged systemctl wrapper.
NoNewPrivileges=true blocks both, surfacing as
"fusermount3: mount failed: Operation not permitted" the first time a
server is started. Hardening is still enforced via dedicated user,
PrivateTmp, ProtectSystem=full, ReadWritePaths, and the narrow sudoers
allowlist limited to two helper scripts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-07 01:51:39 +02:00

etc/sudoers.d

feat(deploy): add production-like test deployment

2026-05-06 19:30:10 +02:00

usr/local

fix(deploy): drop NoNewPrivileges on web service so FUSE mounts work

2026-05-07 01:51:39 +02:00