mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-27 06:03:48 +03:00
init/systemd: Re-add ReadWriteDirectories. (#2798)
In systemd 231 (4f10b80786/NEWS (L3558-L3565)
), ReadWriteDirectories was renamed ReadWritePaths. In https://github.com/caddyserver/caddy/pull/2620/files, @aspeteRakete renamed the directive in Caddy's example systemd unit. However, this means that if anyone runs this sytemd unit on a version of systemd older than 231, Caddy will go into a crash loop that hammers Let's Encrypt's servers. That's because the ProtectSystem=full directive prevents writes to all paths that aren't explicitly permitted, and older systemd doesn't see any paths being permitted. To maximize compatibility, I re-add the original ReadWriteDirectories directive. Older systemd will read that; newer systemd will read the newer directive. Both should ignore the directive they do not recognize. Another approach to solve this problem would be to remove ProtectSystem=true, originally introduced inda8ae9e5
. That would reduce the risk of similar breakages in the future. It would make for a slightly less "exemplary" systemd unit, but I think it would still be adequate, given that this unit runs caddy as "www-data", a user the presumably has low privileges.
This commit is contained in:
parent
be2fdb6af6
commit
24b2e02ee5
1 changed files with 1 additions and 0 deletions
1
dist/init/linux-systemd/caddy.service
vendored
1
dist/init/linux-systemd/caddy.service
vendored
|
@ -44,6 +44,7 @@ ProtectSystem=full
|
|||
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
|
||||
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
|
||||
ReadWritePaths=/etc/ssl/caddy
|
||||
ReadWriteDirectories=/etc/ssl/caddy
|
||||
|
||||
; The following additional security directives only work with systemd v229 or later.
|
||||
; They further restrict privileges that can be gained by caddy. Uncomment if you like.
|
||||
|
|
Loading…
Reference in a new issue