From f2d133b81d98eb84acabef11b0bd919a98d5d13d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 20 Sep 2024 03:58:11 +0200 Subject: webmap-download: Use a dedicated system group. It will be shared between _webmap-* system users, which will be handy to share lock files. --- files/etc/systemd/system/webmap-download@.service | 7 ++++--- tasks/webmap.yml | 8 ++++++-- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service index a928a13..c0e826f 100644 --- a/files/etc/systemd/system/webmap-download@.service +++ b/files/etc/systemd/system/webmap-download@.service @@ -8,7 +8,7 @@ Upholds=webmap-update@%i.target [Service] User=_webmap-download -Group=nogroup +Group=_webmap Nice=15 IOSchedulingClass=idle @@ -21,6 +21,9 @@ ExecStart=/usr/local/bin/webmap-download \ --quiet \ -- %I +RuntimeDirectory=webmap-download +RuntimeDirectoryPreserve=yes + # Hardening NoNewPrivileges=yes ProtectHome=yes @@ -31,8 +34,6 @@ ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 ReadWritePaths=/var/cache/webmap -RuntimeDirectory=webmap-download -RuntimeDirectoryPreserve=yes [Install] WantedBy=webmap-update@%i.target diff --git a/tasks/webmap.yml b/tasks/webmap.yml index 10a6555..ff212e5 100644 --- a/tasks/webmap.yml +++ b/tasks/webmap.yml @@ -64,9 +64,13 @@ - meta: flush_handlers +- name: Create system group '_webmap' + group: name=_webmap system=true + state=present + - name: Create system user '_webmap-download' user: name=_webmap-download system=true - group=nogroup + group=_webmap createhome=false home=/nonexistent shell=/usr/sbin/nologin @@ -95,7 +99,7 @@ - name: Create directory /var/cache/webmap file: path=/var/cache/webmap state=directory - owner=_webmap-download group=nogroup + owner=_webmap-download group=root mode=0755 - name: Copy webmap-download@.service -- cgit v1.2.3