Bug#921812: mldonkey-server: Add systemd service file for better security
Mehdi Dogguy
mehdi at dogguy.org
Sun Jan 17 12:27:52 GMT 2021
Hi Sunil,
On Fri, Feb 08, 2019 at 06:15:44PM -0800, Sunil Mohan Adapa <sunil at medhas.org> wrote:
> It would nice to have a systemd service file for starting/stopping the daemon.
> It would avoid problems like #920466 and improve security due various
> restrictions that systemd can place. Attached is service file that we have
> tested for some simple operations. It lets the log get collected by journald on
> systems running systemd allowing for better log rotation too.
>
I agree it would be a very nice improvement in the packaging. Thanks for brining this
up in a bugreport and providing a patch!
I have a doubt about which systemd features to enable by default though. I can see
thath Fedora/RedHat enabled really a few, as you can see in [1].
For this reason, I'll ask for advice from Michael (systemd's maintainer). Michael,
Sunil here is proposing a .service file for mldonkey-server. I am wondering if we
should aim for a simplistic approach as in [1] or if we should enable by default
features proposed by Sunil in his patch (see below). What do you think? What would
be your recommendation?
[1] https://src.fedoraproject.org/rpms/mldonkey/blob/2a45ff06778cadc4d58435ca1e7187396012c6f1/f/mldonkey.service
Regards,
> [Unit]
> Description=MLDonkey: Multi-protocol, peer-to-peer file sharing server
> After=syslog.target network.target
> ConditionPathExists=/var/lib/mldonkey/downloads.ini
> Documentation=man:mlnet(1) http://mldonkey.sourceforge.net/Main_Page
>
> [Service]
> ExecStart=/usr/bin/mlnet
> Group=mldonkey
> LockPersonality=yes
> NoNewPrivileges=yes
> PrivateDevices=yes
> PrivateMounts=yes
> PrivateTmp=yes
> PrivateUsers=yes
> ProtectControlGroups=yes
> ProtectHome=yes
> ProtectKernelModules=yes
> ProtectKernelTunables=yes
> ProtectSystem=strict
> ReadWritePaths=/var/lib/mldonkey
> RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
> RestrictRealtime=yes
> StateDirectory=mldonkey
> SystemCallArchitectures=native
> Type=simple
> User=mldonkey
> WorkingDirectory=/var/lib/mldonkey
>
> [Install]
> WantedBy=multi-user.target
--
Mehdi Dogguy
More information about the Pkg-systemd-maintainers
mailing list