restrict lmgrd privileges

Though I still haven't tested it, as I only maintain this package because I'm using the client-side tools (lmstat).
author: Mantas Mikulėnas 2021-04-22 17:28:11 +0300
committer: Mantas Mikulėnas 2021-04-22 17:28:11 +0300
commit: 61a5bd4384c7e16ecd79fd515d99e9f13f87745d (patch)
tree: f3b57be368212678ff202a71c206f48802aa1463 /lmgrd.service
parent: 97950f150fe39986ca18a454319c1d0cb731e889 (diff)
download: aur-61a5bd4384c7e16ecd79fd515d99e9f13f87745d.tar.gz
1 files changed, 13 insertions, 2 deletions
diff --git a/lmgrd.service b/lmgrd.service
index e3be68d2e39a..17770fcc60fb 100644
--- a/lmgrd.service
+++ b/lmgrd.service
@@ -1,9 +1,20 @@
 [Unit]
-Description=FLEXnet License Manager Daemon (from Autodesk)
+Description=FLEXnet License Manager Daemon (lmgrd)
+After=network.target
 
 [Service]
+User=lmgrd
+DynamicUser=true
+Environment="LMGRD_ARGS="
+Environment="LMGRD_RESTRICT_ARGS=-local -2 -p -x lmdown -x lmremove"
+EnvironmentFile=-/etc/sysconfig/lmgrd
 Type=forking
-ExecStart=/usr/lib/flexnetserver/lmgrd
+ExecStart=/usr/lib/flexnetserver/lmgrd $LMGRD_ARGS $LMGRD_RESTRICT_ARGS
+
+# -local        Restrict lmdown/reread to local only
+# -2 -p         Restrict lmdown/reread/remove/switch[r]/newlog to root-only
+# -x lmfoo      Disable remote usage of lm<foo> command
+# -z            Run in foreground
 
 [Install]
 WantedBy=multi-user.target
author	Mantas Mikulėnas	2021-04-22 17:28:11 +0300
committer	Mantas Mikulėnas	2021-04-22 17:28:11 +0300
commit	61a5bd4384c7e16ecd79fd515d99e9f13f87745d (patch)
tree	f3b57be368212678ff202a71c206f48802aa1463 /lmgrd.service
parent	97950f150fe39986ca18a454319c1d0cb731e889 (diff)
download	aur-61a5bd4384c7e16ecd79fd515d99e9f13f87745d.tar.gz