diff options
| author | Severin Glöckner | 2018-12-26 16:55:45 +0100 |
|---|---|---|
| committer | Severin Glöckner | 2018-12-26 16:59:34 +0100 |
| commit | e89ea6f489b351e5f7ccb8808f166b0c99af3cd7 (patch) | |
| tree | 1d13dfe6cadbed37d8c830c2941f1741ec6c20e4 /wesnothd-1.10.service | |
| parent | 73451864ae1d396f32d1844de1204d96b8cd7abc (diff) | |
| download | aur-e89ea6f489b351e5f7ccb8808f166b0c99af3cd7.tar.gz | |
general update
Diffstat (limited to 'wesnothd-1.10.service')
| -rw-r--r-- | wesnothd-1.10.service | 39 |
1 files changed, 29 insertions, 10 deletions
diff --git a/wesnothd-1.10.service b/wesnothd-1.10.service index 73d1e90976f9..7a8a26fda111 100644 --- a/wesnothd-1.10.service +++ b/wesnothd-1.10.service @@ -3,26 +3,44 @@ Description=Wesnoth-1.10 Server Daemon Documentation=https://www.wesnoth.org/wiki/ServerAdministration Documentation=man:wesnothd-1.10(6) After=network.target -# They use by default the same port -Conflicts=wesnothd.service wesnothd-1.6.service wesnothd-1.8.service wesnothd-1.12.service wesnothd-1.14.service wesnothd-devel.service wesnothd-git.service +# They use by default the same port, may be changed with the -p option. +Conflicts=wesnothd.service wesnothd-1.0.service wesnothd-1.2.service wesnothd-1.4.service wesnothd-1.6.service wesnothd-1.8.service wesnothd-1.12.service wesnothd-1.14.service wesnothd-devel.service wesnothd-git.service [Service] +# If wesnothd is started from within the game it runs under a different user. +# Deleting the pipe resets owner, group and mode. +ExecStopPre=/bin/rm -f /run/wesnothd-1.10/socket + ExecStart=/usr/bin/wesnothd-1.10 -t 2 -T 5 -# you can use -c to specify the same configuration file -# which is used when starting wensothd from the wesnoth UI -# (and make sure wesnothd has the required access permissions) +# You can use -c to specify a same configuration file +# (and make sure wesnothd has the required access permissions). SyslogIdentifier=Wesnothd-1.10 User=nobody -Group=nobody -ExecStopPost=/usr/bin/rm -f /run/wesnothd-1.10/socket +Group=users + +# Remove remaining administration pipe: +ExecStopPost=/bin/rm -f /run/wesnothd-1.10/socket -# Additional security-related features -ProtectSystem=yes +# Additional security-related features: PrivateTmp=yes PrivateDevices=yes +ProtectSystem=strict +ProtectHome=yes +# When specifying with the -c option a file in the home directory, +# set ProtectHome=read-only and whitelist the directory or file with +# ReadWritePaths. +ReadWritePaths=/run/wesnothd-1.10 +InaccessiblePaths=/usr/include +InaccessiblePaths=/usr/src +InaccessiblePaths=/boot +InaccessiblePaths=/media +InaccessiblePaths=/mnt +InaccessiblePaths=/srv +InaccessiblePaths=/opt +InaccessiblePaths=/var NoNewPrivileges=yes -RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET AF_UNIX RestrictRealtime=yes MemoryDenyWriteExecute=yes SystemCallArchitectures=native @@ -30,6 +48,7 @@ ProtectControlGroups=yes ProtectKernelTunables=yes ProtectKernelModules=yes RestrictNamespaces=yes +LockPersonality=yes [Install] WantedBy=multi-user.target |