From 442a21f4b5b6b8f6f8ad0990bdc89bfcc024fad4 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Fri, 3 Jul 2015 13:22:36 +0200 Subject: [PATCH] Update doc and unit to run as vroom user account Also add some restriction in the provided unit --- docs/systemd/vroom.service | 10 ++++++++-- templates/default/documentation.html.ep | 7 ++++--- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/docs/systemd/vroom.service b/docs/systemd/vroom.service index 1aa3c53..7839b9c 100644 --- a/docs/systemd/vroom.service +++ b/docs/systemd/vroom.service @@ -5,9 +5,15 @@ After=mariadb.service [Service] Type=simple ExecStart=/opt/vroom/scripts/start_server.pl +ExecReload=/bin/kill -USR2 $MAINPID PrivateTmp=yes -User=apache -Group=apache +User=vroom +Group=vroom +SyslogIdentifier=vroom +InaccessibleDirectories=/home +ReadOnlyDirectories=/usr +ReadOnlyDirectories=/etc +Restart=on-failure [Install] WantedBy=multi-user.target diff --git a/templates/default/documentation.html.ep b/templates/default/documentation.html.ep index a7b489b..35d1ef7 100644 --- a/templates/default/documentation.html.ep +++ b/templates/default/documentation.html.ep @@ -240,9 +240,9 @@ echo "LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so" \\ Set permissions on the cache directory

- The cache directory must be writeable for the user running the VROOM daemon, which is apache in the provided systemd unit + The cache directory must be writeable for the user running the VROOM daemon, which is vroom in the provided systemd unit 

-chown -R apache ./cache
+chown -R vroom ./cache
 chmod 700 ./cache

@@ -250,8 +250,9 @@ chmod 700 ./cache Setup systemd units

- Here, we'll copy the sample vroom.service unit so that systemd picks it up + Here, we'll copy the sample vroom.service unit so that systemd picks it up, and create the vroom user account 

+useradd -r -d /dev/null -s /sbin/nologin vroom
 cp /opt/vroom/docs/systemd/vroom.service /etc/systemd/system/
 systemctl daemon-reload
 systemctl enable vroom