56b9523d88
The job worker calls fusermount3 (setuid-root) to mount per-instance FUSE overlays and sudo to invoke the privileged systemctl wrapper. NoNewPrivileges=true blocks both, surfacing as "fusermount3: mount failed: Operation not permitted" the first time a server is started. Hardening is still enforced via dedicated user, PrivateTmp, ProtectSystem=full, ReadWritePaths, and the narrow sudoers allowlist limited to two helper scripts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
27 lines
921 B
Desktop File
27 lines
921 B
Desktop File
[Unit]
|
|
Description=left4me web application
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=left4me
|
|
Group=left4me
|
|
WorkingDirectory=/opt/left4me
|
|
Environment=HOME=/var/lib/left4me
|
|
Environment=PATH=/opt/left4me/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
|
EnvironmentFile=/etc/left4me/host.env
|
|
EnvironmentFile=/etc/left4me/web.env
|
|
ExecStart=/opt/left4me/.venv/bin/gunicorn --workers 1 --threads 8 --bind 0.0.0.0:8000 'l4d2web.app:create_app()'
|
|
Restart=on-failure
|
|
RestartSec=3
|
|
# NoNewPrivileges intentionally not set: the worker invokes fusermount3
|
|
# (setuid-root) to mount FUSE overlays and sudo to run the systemctl
|
|
# wrapper. NoNewPrivileges blocks both. Hardening is still provided by
|
|
# dedicated user, PrivateTmp, ProtectSystem=full, and narrow sudoers.
|
|
PrivateTmp=true
|
|
ProtectSystem=full
|
|
ReadWritePaths=/var/lib/left4me
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|