search

notandy / ympd

Standalone MPD Web GUI written in C, utilizing Websockets and Bootstrap/JS
http://www.ympd.org
GNU General Public License v2.0
515 stars 143 forks source link

Harden ympd.service #185

Open cpitclaudel opened 5 years ago

cpitclaudel commented 5 years ago

This offers a measure of protection against potential ympd vulnerabilities. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for documentation.

cpitclaudel commented 5 years ago

See also: https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04, https://github.com/konstruktoid/hardening/blob/master/systemd.adoc#unit-configuration, and https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing:

The following sandboxing options are an effective way to limit the exposure of the system towards the unit's processes. It is recommended to turn on as many of these options for each unit as is possible without negatively affecting the process' ability to operate

SuperBFG7 commented 5 years ago

When I add these, ympd fails to start for me, since it cannot change the user (drop priviledges).

cpitclaudel commented 5 years ago

Are you setting up ympd.service as a user service?

SuperBFG7 commented 5 years ago

No, but I figured it out in the meantime: the user name has (of course) to be the same as in /etc/defaults/ympd for $YMPD_USER which in my case was mpd

cpitclaudel commented 5 years ago

Ah, it makes sense then :)

gdamjan commented 3 years ago

I'd also remove the --user $YMPD_USER argument in this PR, since it will/can clash with the DynamicUser=yes/User=ympd, and is unnecessary.

Great work otherwise. Should it be merged already? :)