Merge #16556: Fix systemd service file configuration directory setup

f3b57f4a1c Unrecommend making config file owned by bitcoin (setpill)
870d4152df Set ProtectHome in systemd service file (setpill)
639a416e37 Chgrp config dir to bitcoin in systemd service (setpill)
aded0528f0 Improve clarity of systemd service file comments (setpill)

Pull request description:

  Rationale: ran into a bug with the systemd service file, fixed it locally and figured I might as well contribute my fix.

  Also fixed some unrelated confusing phrasing in the comments of the same file, after discussion in IRC.

ACKs for top commit:
  sipsorcery:
    tACK f3b57f4a1c (nothing changed since previous tACK).
  ryanofsky:
    utACK f3b57f4a1c. Only change since last review is removing ConfigurationDirectoryMode churn in early commits

Tree-SHA512: 2188345878925b9e8a5c2c3df8dfba443720e2252a164db54a8e1d8007846721497b2d98c56f1d9b60a9a9ed4fdb1156c7b02c699616b220a9b614671617d32a
This commit is contained in:
fanquake 2019-08-29 11:40:10 +08:00
commit fc5b756bae
No known key found for this signature in database
GPG key ID: 2EEB9F5CC09526C1
2 changed files with 15 additions and 7 deletions

View file

@ -5,8 +5,9 @@
# See "man systemd.service" for details.
# Note that almost all daemon options could be specified in
# /etc/bitcoin/bitcoin.conf, except for those explicitly specified as arguments
# in ExecStart=
# /etc/bitcoin/bitcoin.conf, but keep in mind those explicitly
# specified as arguments in ExecStart= will override those in the
# config file.
[Unit]
Description=Bitcoin daemon
@ -18,6 +19,10 @@ ExecStart=/usr/bin/bitcoind -daemon \
-conf=/etc/bitcoin/bitcoin.conf \
-datadir=/var/lib/bitcoind
# Make sure the config directory is readable by the service user
PermissionsStartOnly=true
ExecStartPre=/bin/chgrp bitcoin /etc/bitcoin
# Process management
####################
@ -53,6 +58,9 @@ PrivateTmp=true
# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full
# Deny access to /home, /root and /run/user
ProtectHome=true
# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true

View file

@ -59,11 +59,11 @@ Data directory: `/var/lib/bitcoind`
PID file: `/var/run/bitcoind/bitcoind.pid` (OpenRC and Upstart) or `/run/bitcoind/bitcoind.pid` (systemd)
Lock file: `/var/lock/subsys/bitcoind` (CentOS)
The configuration file, PID directory (if applicable) and data directory
should all be owned by the bitcoin user and group. It is advised for security
reasons to make the configuration file and data directory only readable by the
bitcoin user and group. Access to bitcoin-cli and other bitcoind rpc clients
can then be controlled by group membership.
The PID directory (if applicable) and data directory should both be owned by the
bitcoin user and group. It is advised for security reasons to make the
configuration file and data directory only readable by the bitcoin user and
group. Access to bitcoin-cli and other bitcoind rpc clients can then be
controlled by group membership.
NOTE: When using the systemd .service file, the creation of the aforementioned
directories and the setting of their permissions is automatically handled by