Open david415 opened 6 years ago
LEAP is still on Debian Jessie, and at least there I didn't manage to get user services to work. We're using global services:
# cat /etc/systemd/system/katzenmix.service
[Unit]
Description=Katzenpost Mix Server
After=network.target
[Service]
Type=simple
User=katzenpost
WorkingDirectory=/home/katzenpost/node
ExecStart=/home/katzenpost/node/server -f katzenpost.toml
PrivateTmp=yes
NoNewPrivileges=yes
# RestartSec=5
Restart=on-failure
[Install]
WantedBy=default.target
# systemctl enable katzenmix
# systemctl start katzenmix
http://0pointer.de/blog/projects/security.html is a good intro into systemd isolation features we might want to add besides PrivateTmp and NoNewPrivileges.
This seems to work for me as user unit file for the authority, but needs absolute paths in it so is not ideal. Also, systemd probably has better isolation features than this.