Manually creating directories conflicts with systemd service hardening features. Particularly, ProtectSystem=strict mounts the filesystem has read-only for the processes started by the unit which leads to mkdir failing.
By setting User=mosquitto and adding RuntimeDirectory and LogsDirectory, systemd creates /run/mosquitto and /var/log/mosquitto with the right permissions even ProtectSystem=strict is used.
Adding User=mosquitto also has the side effect of running the daemon as the user mosquitto. I
Context
Manually creating directories conflicts with systemd service hardening features. Particularly,
ProtectSystem=strictmounts the filesystem has read-only for the processes started by the unit which leads tomkdirfailing.By setting
User=mosquittoand addingRuntimeDirectoryandLogsDirectory, systemd creates/run/mosquittoand/var/log/mosquittowith the right permissions evenProtectSystem=strictis used.Adding
User=mosquittoalso has the side effect of running the daemon as the usermosquitto. IChecklist
[X] Have you signed the Eclipse Contributor Agreement, using the same email address as you used in your commits? https://accounts.eclipse.org/users/gchamp20, submitted, appears to be pending? I can still re-submit but I now get an error.
[X] Do each of your commits have a "Signed-off-by" line, with the correct email address? Use "git commit -s" to generate this line for you.
[X] If you are contributing a new feature, is your work based off the develop branch?
[ ] If you are contributing a bugfix, is your work based off the fixes branch?
[X] Have you added an explanation of what your changes do and why you'd like us to include them?
[X] Have you successfully run
make testwith your changes locally?