Open TubbyCat opened 2 years ago
I understand the need of cgroupv2 for the service, but is it necessary for the timer command (log2ram-daily.service) ?
As a measure of added precaution, in theory, it is better to have than not have. This conclusion is derived from the systemd manual "systemd 251" subsection "ProtectControlGroups." There appear to be no downsides to adding it at least from my cursory testing. Ultimately, you know your software best and I am not a systemd or log2ram expert.
tldr: not necessary but wouldn't hurt to have.
PS I'm mildly disappointed that GitHub won't let me add a cat emoji here lol.
I have added some common Systemd sandboxing options. The additions seek to move the services toward a posture of securer defaults. It is best practice to implement such restrictions to long running services. Furthermore, despite my personal aversion to reading them, logs are a critical element of system security.
My pull request changes the output of:
from ~9 (unsafe) to ~ 6 (medium).
Some added options have comments below them regarding possible lost functionality. It is up to the developer to determine whether to include those specific lines, i.e. whether to maximize user friendliness or not. If those lines were removed, the end-user could simply add it themselves if they wanted to, so it's not that important anyways.
For background context on Systemd-Sandboxing, see: link
I will accept chin scritchies as a token of appreciation.
Friendly meows, TubbyCat