Closed aadnehovda closed 3 years ago
This is cool, but unfortunately we support many distributions including those with older systemd. This would further complicate the build process, requiring different systemd unit files for different distributions. So probably not now, but maybe once those older distributions are fully obsolete and no longer supported.
Just want to add a side note in case someone wants to override zerotier's systemd unit to achieve such a feature. Since /var/lib/zerotier-one
and its contents created by zerotier-cli
are owned by user zerotier-one
and are read-only by non-owner users, the zerotier daemon will warn
WARNING: unable to write to file: /var/lib/zerotier-one/networks.d/***.conf (unable to open)
To solve such an issue, we also need
ReadWritePaths=/var/lib/zerotier-one
So in summary, if you override the systemd unit with
sudo systemctl edit zerotier-one.service
you will need to write (with further hardening)
[Service]
ExecStart=
ExecStart=/usr/sbin/zerotier-one -U
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
DynamicUser=yes
ReadWritePaths=/var/lib/zerotier-one
# Further hardening
ProtectHome=true
NoNewPrivileges=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectProc=invisible
RestrictNamespaces=yes
ReadWritePaths should not be necessary on systemd v235+. The directory /var/lib/private/zerotier-one
and corresponding symlink /var/lib/zerotier-one
will be automatically created and the correct permissions set whenever the service is first started. Try to start from scratch -- delete /var/lib/private/zerotier-one
, /var/lib/zerotier-one
(keep a backup of the identity/secret) and remove the static zerotier-one user and group (assuming they were installed by an rpm/deb package). When I tried this setup last time, the only things I used were the zerotier-one
executable and a zerotier-one.service
file on an otherwise clean system.
AFAICT, NoNewPrivileges=yes is implied by DynamicUser and can be skipped.
Desktop:
With systemd's support for dynamic users (http://0pointer.net/blog/dynamic-users-with-systemd.html), you can drop both the static system user added during installation and the capabilities drop and user switching in the service itself. It also creates and manages permissions on /var/lib/zerotier-one and other service specific folders. Available since systemd v235.
Example unit file: