From 874fcaba691f925ecb5f9270b691754685d65691 Mon Sep 17 00:00:00 2001 From: "Joshua M. Boniface" Date: Sun, 12 Jun 2022 01:05:29 -0400 Subject: [PATCH] Move service hardening options to override config Some combination of these options were causing problems with the functionality of restart.sh as described in the comment and in detail in issue #7503. While these seem OK on their face, the implications of this breaking restart.sh means that they could potentially break other things too. Thus, we should move these into the optional override file which is in the administrator's full control, instead of in the default unit, and leave them off unless a user or package maintainer (e.g. NixOS as described in the original issue #6952) wants to enable them. Fixes #7503 --- debian/conf/jellyfin.service.conf | 48 +++++++++++++++++++++++++++++++ debian/jellyfin.service | 33 --------------------- 2 files changed, 48 insertions(+), 33 deletions(-) diff --git a/debian/conf/jellyfin.service.conf b/debian/conf/jellyfin.service.conf index 1b69dd74ef..1f92d7d94e 100644 --- a/debian/conf/jellyfin.service.conf +++ b/debian/conf/jellyfin.service.conf @@ -3,5 +3,53 @@ # Use this file to override the user or environment file location. [Service] +# Alter the user that Jellyfin runs as #User = jellyfin + +# Alter where environment variables are sourced from #EnvironmentFile = /etc/default/jellyfin + +# Service hardening options +# These were added in PR #6953 to solve issue #6952, but some combination of +# them causes "restart.sh" functionality to break with the following error: +# sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the +# 'nosuid' option set or an NFS file system without root privileges? +# See issue #7503 for details on the troubleshooting that went into this. +# Since these were added for NixOS specifically and are above and beyond +# what 99% of systemd units do, they have been moved here as optional +# additional flags to set for maximum system security and can be enabled at +# the administrator's or package maintainer's discretion. +# Uncomment these only if you know what you're doing, and doing so may cause +# bugs with in-server Restart and potentially other functionality as well. +#NoNewPrivileges=true +#SystemCallArchitectures=native +#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +#RestrictNamespaces=false +#RestrictRealtime=true +#RestrictSUIDSGID=true +#ProtectControlGroups=false +#ProtectHostname=true +#ProtectKernelLogs=false +#ProtectKernelModules=false +#ProtectKernelTunables=false +#LockPersonality=true +#PrivateTmp=false +#PrivateDevices=false +#PrivateUsers=true +#RemoveIPC=true +#SystemCallFilter=~@clock +#SystemCallFilter=~@aio +#SystemCallFilter=~@chown +#SystemCallFilter=~@cpu-emulation +#SystemCallFilter=~@debug +#SystemCallFilter=~@keyring +#SystemCallFilter=~@memlock +#SystemCallFilter=~@module +#SystemCallFilter=~@mount +#SystemCallFilter=~@obsolete +#SystemCallFilter=~@privileged +#SystemCallFilter=~@raw-io +#SystemCallFilter=~@reboot +#SystemCallFilter=~@setuid +#SystemCallFilter=~@swap +#SystemCallErrorNumber=EPERM diff --git a/debian/jellyfin.service b/debian/jellyfin.service index 064e105373..2f97c46549 100644 --- a/debian/jellyfin.service +++ b/debian/jellyfin.service @@ -13,38 +13,5 @@ Restart = on-failure TimeoutSec = 15 SuccessExitStatus=0 143 -NoNewPrivileges=true -SystemCallArchitectures=native -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=false -RestrictRealtime=true -RestrictSUIDSGID=true -ProtectControlGroups=false -ProtectHostname=true -ProtectKernelLogs=false -ProtectKernelModules=false -ProtectKernelTunables=false -LockPersonality=true -PrivateTmp=false -PrivateDevices=false -PrivateUsers=true -RemoveIPC=true -SystemCallFilter=~@clock -SystemCallFilter=~@aio -SystemCallFilter=~@chown -SystemCallFilter=~@cpu-emulation -SystemCallFilter=~@debug -SystemCallFilter=~@keyring -SystemCallFilter=~@memlock -SystemCallFilter=~@module -SystemCallFilter=~@mount -SystemCallFilter=~@obsolete -SystemCallFilter=~@privileged -SystemCallFilter=~@raw-io -SystemCallFilter=~@reboot -SystemCallFilter=~@setuid -SystemCallFilter=~@swap -SystemCallErrorNumber=EPERM - [Install] WantedBy = multi-user.target