search

jirka-h / haveged

Entropy daemon ![Continuous Integration](https://github.com/jirka-h/haveged/workflows/Continuous%20Integration/badge.svg)
GNU General Public License v3.0
273 stars 34 forks source link

Service file updates #21

Closed eworm-de closed 5 years ago

eworm-de commented 5 years ago

With latest systemd struggle we had to update systemd service ordering for our Arch Linux package. In the end we would like to use an upstream service file, but keep our security features.

Further fragmenting the service files is a bad idea I think... So updated the Fedora one. @jirka-h, please test carefully this works for Fedora...

eworm-de commented 5 years ago

Had some dependency issues after with my initial commits...

Pushed an update that should work.

Dropped two security features (PrivateTmp=on & ProtectHome=on) and reverted to use root, instead limited capabilities.

jirka-h commented 5 years ago

Thanks a lot for PR! I have tested it on Fedora 31 and it works reliably. Merging.

jirka-h commented 5 years ago

NoNewPrivileges=on breaks the service.

haveged: Couldn't open random device: Permission denied

eworm-de commented 5 years ago

Are you sure your error is caused by NoNewPrivileges=on? The message is just about opening a file (/dev/random), nothing about elevating privileges. From systemd.exec(5):

Takes a boolean argument. If true, ensures that the service process and all its children can never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). [...]