diff options
author | Severin Glöckner | 2018-12-26 16:35:31 +0100 |
---|---|---|
committer | Severin Glöckner | 2018-12-26 16:35:31 +0100 |
commit | 1543e292573ef74923f8ff93639b5bdd3027f0bb (patch) | |
tree | f1eb2526e87666c29ad73064568d79da2e793f98 /wesnothd-1.8.service | |
parent | 50c7ab4664937b3bbcbfc4df93f6fdb6b9d727d8 (diff) | |
download | aur-1543e292573ef74923f8ff93639b5bdd3027f0bb.tar.gz |
various updates
Diffstat (limited to 'wesnothd-1.8.service')
-rw-r--r-- | wesnothd-1.8.service | 39 |
1 files changed, 29 insertions, 10 deletions
diff --git a/wesnothd-1.8.service b/wesnothd-1.8.service index 586348f98f05..3f0ba9c9d150 100644 --- a/wesnothd-1.8.service +++ b/wesnothd-1.8.service @@ -3,26 +3,44 @@ Description=Wesnoth-1.8 Server Daemon Documentation=https://www.wesnoth.org/wiki/ServerAdministration Documentation=man:wesnothd-1.8(6) After=network.target -# They use by default the same port -Conflicts=wesnothd.service wesnothd-1.6.service wesnothd-1.10.service wesnothd-1.12.service wesnothd-1.14.service wesnothd-devel.service wesnothd-git.service +# They use by default the same port, which can be changed by the -p option. +Conflicts=wesnothd.service wesnothd-1.0.service wesnothd-1.2.service wesnothd-1.4.service wesnothd-1.6.service wesnothd-1.10.service wesnothd-1.12.service wesnothd-1.14.service wesnothd-devel.service wesnothd-git.service [Service] +# If wesnothd is started from within the game it runs under a different user. +# Deleting the pipe resets owner, group and mode. +ExecStopPre=/bin/rm -f /run/wesnothd-1.4/socket + ExecStart=/usr/bin/wesnothd-1.8 -t 2 -T 5 -# you can use -c to specify the same configuration file -# which is used when starting wensothd from the wesnoth UI -# (and make sure wesnothd has the required access permissions) +# You can use -c to specify a same configuration file +# (and make sure wesnothd has the required access permissions). SyslogIdentifier=Wesnothd-1.8 User=nobody -Group=nobody -ExecStopPost=/usr/bin/rm -f /run/wesnothd-1.8/socket +Group=users + +# Remove remaining administration pipe: +ExecStopPost=/bin/rm -f /run/wesnothd-1.8/socket -# Additional security-related features -ProtectSystem=yes +# Additional security-related features: PrivateTmp=yes PrivateDevices=yes +ProtectSystem=strict +ProtectHome=yes +# When specifying with the -c option a file in the home directory, +# set ProtectHome=read-only and whitelist the directory or file with +# ReadWritePaths. +ReadWritePaths=/run/wesnothd-1.8 +InaccessiblePaths=/usr/include +InaccessiblePaths=/usr/src +InaccessiblePaths=/boot +InaccessiblePaths=/media +InaccessiblePaths=/mnt +InaccessiblePaths=/srv +InaccessiblePaths=/opt +InaccessiblePaths=/var NoNewPrivileges=yes -RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET AF_UNIX RestrictRealtime=yes MemoryDenyWriteExecute=yes SystemCallArchitectures=native @@ -30,6 +48,7 @@ ProtectControlGroups=yes ProtectKernelTunables=yes ProtectKernelModules=yes RestrictNamespaces=yes +LockPersonality=yes [Install] WantedBy=multi-user.target |