left4me

History

mwiegand a982995d5b fix(deploy): ExecStartPre runs overlay helper with `+` prefix, not sudo The unit has NoNewPrivileges=true (security hardening for srcds), which blocks sudo's setuid escalation. The previous sudo'd ExecStartPre failed on every start with "sudo: the 'no new privileges' switch is set, which prevents sudo from running as root" -> Restart=on-failure loop. systemd's `+` prefix runs the Exec command as PID 1 (root, no sandbox), bypassing User=/Group=/NoNewPrivileges=. Equivalent privilege scope to the sudoers rule the web app already uses for the same helper, just without the sudo middleman. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-09 12:55:16 +02:00
..
test_deploy_artifacts.py	fix(deploy): ExecStartPre runs overlay helper with `+` prefix, not sudo	2026-05-09 12:55:16 +02:00

fix(deploy): ExecStartPre runs overlay helper with + prefix, not sudo

The unit has NoNewPrivileges=true (security hardening for srcds), which
blocks sudo's setuid escalation. The previous sudo'd ExecStartPre failed
on every start with "sudo: the 'no new privileges' switch is set, which
prevents sudo from running as root" -> Restart=on-failure loop.

systemd's `+` prefix runs the Exec command as PID 1 (root, no sandbox),
bypassing User=/Group=/NoNewPrivileges=. Equivalent privilege scope to
the sudoers rule the web app already uses for the same helper, just
without the sudo middleman.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-09 12:55:16 +02:00

test_deploy_artifacts.py fix(deploy): ExecStartPre runs overlay helper with + prefix, not sudo 2026-05-09 12:55:16 +02:00