Running as daemon with systemd

[svengo]

I managed to run The Onion Box as daemon with systemd (under Ubuntu 16.04) based on the wiki:

• Create user theonionbox
• Install The Onion Box to ~theonionbox and sudo chmod 755 ./theonionbox.py
• Edit ~theonionbox/config/theonionbox.cfgto your needs
• Create service file with sudo vi /etc/systemd/system/theonionbox.service with the following content:

# Run The Onion Box as background service
# https://github.com/ralphwetzel/theonionbox/

[Unit]
Description=The Onion Box
Documentation=https://github.com/ralphwetzel/theonionbox/wiki
After=network.target

[Service]
Type=simple
User=theonionbox
WorkingDirectory=~
ExecStart=/srv/theonionbox/theonionbox.py --mode=service
Restart=on-failure

[Install]
WantedBy=multi-user.target

• Start the new service with sudo systemctl start theonionbox.service
• If everything is okay, start the service on next boot with sudo systemctl enable theonionbox.service

[ralphwetzel]

Thank you for this great contribution! I'll add the service file to the next release.

[AnanasPfirsichSaft]

Maybe the service file can be hardened? My Debian Jessie box (Bananian Linux) use no systemd by default. Therefore I cannot dive into it at the moment. But my snippet should be a good start. Capabilities and syscalls whitelist are still missing. Some directives may be only available on newer systemd versions.

[service]
ProtectSystem=full
ReadWriteDirectories=/var/log/theonionbox
CapabilityBoundingSet=???
SystemCallFilter=???
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true

What do others think?