left4me

History

mwiegand 75e703e1a4 feat(deploy): left4me-script-sandbox helper + sudoers fragment Privileged bash helper that wraps user-authored scripts in systemd-run --scope (cgroup limits + RuntimeMaxSec=3600) inside a bubblewrap sandbox dropped to the l4d2-sandbox uid. Network is shared with the host so scripts can fetch from Steam / l4d2center / etc.; filesystem is RO except for /overlay (rw bind from /var/lib/left4me/overlays/{id}) and tmpfs /tmp + /run. Adds a sudoers rule allowing the left4me user to invoke this helper without restrictions on its arguments. Strict argument validation is in the helper itself. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 15:53:21 +02:00
..
etc/sudoers.d	feat(deploy): left4me-script-sandbox helper + sudoers fragment	2026-05-08 15:53:21 +02:00
usr/local	feat(deploy): left4me-script-sandbox helper + sudoers fragment	2026-05-08 15:53:21 +02:00

feat(deploy): left4me-script-sandbox helper + sudoers fragment

Privileged bash helper that wraps user-authored scripts in
systemd-run --scope (cgroup limits + RuntimeMaxSec=3600) inside a
bubblewrap sandbox dropped to the l4d2-sandbox uid. Network is shared
with the host so scripts can fetch from Steam / l4d2center / etc.;
filesystem is RO except for /overlay (rw bind from
/var/lib/left4me/overlays/{id}) and tmpfs /tmp + /run.

Adds a sudoers rule allowing the left4me user to invoke this helper
without restrictions on its arguments. Strict argument validation is
in the helper itself.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-08 15:53:21 +02:00

etc/sudoers.d

feat(deploy): left4me-script-sandbox helper + sudoers fragment

2026-05-08 15:53:21 +02:00

usr/local

feat(deploy): left4me-script-sandbox helper + sudoers fragment

2026-05-08 15:53:21 +02:00