github-mirrors/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2025-04-24 05:57:20 -04:00
Code Issues Projects Releases Packages Wiki Activity

Move service hardening options to override config

Browse source 
Some combination of these options were causing problems with the
functionality of restart.sh as described in the comment and in detail in
issue #7503.

While these seem OK on their face, the implications of this breaking
restart.sh means that they could potentially break other things too.

Thus, we should move these into the optional override file which is in
the administrator's full control, instead of in the default unit, and
leave them off unless a user or package maintainer (e.g. NixOS as
described in the original issue #6952) wants to enable them.

Fixes #7503
This commit is contained in:
Joshua M. Boniface 2022-06-12 01:05:29 -04:00
parent 93941f9728
commit 874fcaba69
2 changed files with 48 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

48
debian/conf/jellyfin.service.conf vendored
View file

@ -3,5 +3,53 @@
# Use this file to override the user or environment file location.
[Service]
# Alter the user that Jellyfin runs as
#User = jellyfin
# Alter where environment variables are sourced from
#EnvironmentFile = /etc/default/jellyfin
# Service hardening options
# These were added in PR #6953 to solve issue #6952, but some combination of
# them causes "restart.sh" functionality to break with the following error:
# sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the
# 'nosuid' option set or an NFS file system without root privileges?
# See issue #7503 for details on the troubleshooting that went into this.
# Since these were added for NixOS specifically and are above and beyond
# what 99% of systemd units do, they have been moved here as optional
# additional flags to set for maximum system security and can be enabled at
# the administrator's or package maintainer's discretion.
# Uncomment these only if you know what you're doing, and doing so may cause
# bugs with in-server Restart and potentially other functionality as well.
#NoNewPrivileges=true
#SystemCallArchitectures=native
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#RestrictNamespaces=false
#RestrictRealtime=true
#RestrictSUIDSGID=true
#ProtectControlGroups=false
#ProtectHostname=true
#ProtectKernelLogs=false
#ProtectKernelModules=false
#ProtectKernelTunables=false
#LockPersonality=true
#PrivateTmp=false
#PrivateDevices=false
#PrivateUsers=true
#RemoveIPC=true
#SystemCallFilter=~@clock
#SystemCallFilter=~@aio
#SystemCallFilter=~@chown
#SystemCallFilter=~@cpu-emulation
#SystemCallFilter=~@debug
#SystemCallFilter=~@keyring
#SystemCallFilter=~@memlock
#SystemCallFilter=~@module
#SystemCallFilter=~@mount
#SystemCallFilter=~@obsolete
#SystemCallFilter=~@privileged
#SystemCallFilter=~@raw-io
#SystemCallFilter=~@reboot
#SystemCallFilter=~@setuid
#SystemCallFilter=~@swap
#SystemCallErrorNumber=EPERM

33
debian/jellyfin.service vendored
View file

@ -13,38 +13,5 @@ Restart = on-failure
TimeoutSec = 15
SuccessExitStatus=0 143
NoNewPrivileges=true
SystemCallArchitectures=native
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=false
RestrictRealtime=true
RestrictSUIDSGID=true
ProtectControlGroups=false
ProtectHostname=true
ProtectKernelLogs=false
ProtectKernelModules=false
ProtectKernelTunables=false
LockPersonality=true
PrivateTmp=false
PrivateDevices=false
PrivateUsers=true
RemoveIPC=true
SystemCallFilter=~@clock
SystemCallFilter=~@aio
SystemCallFilter=~@chown
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@debug
SystemCallFilter=~@keyring
SystemCallFilter=~@memlock
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@privileged
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@setuid
SystemCallFilter=~@swap
SystemCallErrorNumber=EPERM
[Install]
WantedBy = multi-user.target