Merge #16556: Fix systemd service file configuration directory setup
f3b57f4a1c
Unrecommend making config file owned by bitcoin (setpill)870d4152df
Set ProtectHome in systemd service file (setpill)639a416e37
Chgrp config dir to bitcoin in systemd service (setpill)aded0528f0
Improve clarity of systemd service file comments (setpill) Pull request description: Rationale: ran into a bug with the systemd service file, fixed it locally and figured I might as well contribute my fix. Also fixed some unrelated confusing phrasing in the comments of the same file, after discussion in IRC. ACKs for top commit: sipsorcery: tACKf3b57f4a1c
(nothing changed since previous tACK). ryanofsky: utACKf3b57f4a1c
. Only change since last review is removing ConfigurationDirectoryMode churn in early commits Tree-SHA512: 2188345878925b9e8a5c2c3df8dfba443720e2252a164db54a8e1d8007846721497b2d98c56f1d9b60a9a9ed4fdb1156c7b02c699616b220a9b614671617d32a
This commit is contained in:
commit
fc5b756bae
2 changed files with 15 additions and 7 deletions
|
@ -5,8 +5,9 @@
|
|||
# See "man systemd.service" for details.
|
||||
|
||||
# Note that almost all daemon options could be specified in
|
||||
# /etc/bitcoin/bitcoin.conf, except for those explicitly specified as arguments
|
||||
# in ExecStart=
|
||||
# /etc/bitcoin/bitcoin.conf, but keep in mind those explicitly
|
||||
# specified as arguments in ExecStart= will override those in the
|
||||
# config file.
|
||||
|
||||
[Unit]
|
||||
Description=Bitcoin daemon
|
||||
|
@ -18,6 +19,10 @@ ExecStart=/usr/bin/bitcoind -daemon \
|
|||
-conf=/etc/bitcoin/bitcoin.conf \
|
||||
-datadir=/var/lib/bitcoind
|
||||
|
||||
# Make sure the config directory is readable by the service user
|
||||
PermissionsStartOnly=true
|
||||
ExecStartPre=/bin/chgrp bitcoin /etc/bitcoin
|
||||
|
||||
# Process management
|
||||
####################
|
||||
|
||||
|
@ -53,6 +58,9 @@ PrivateTmp=true
|
|||
# Mount /usr, /boot/ and /etc read-only for the process.
|
||||
ProtectSystem=full
|
||||
|
||||
# Deny access to /home, /root and /run/user
|
||||
ProtectHome=true
|
||||
|
||||
# Disallow the process and all of its children to gain
|
||||
# new privileges through execve().
|
||||
NoNewPrivileges=true
|
||||
|
|
10
doc/init.md
10
doc/init.md
|
@ -59,11 +59,11 @@ Data directory: `/var/lib/bitcoind`
|
|||
PID file: `/var/run/bitcoind/bitcoind.pid` (OpenRC and Upstart) or `/run/bitcoind/bitcoind.pid` (systemd)
|
||||
Lock file: `/var/lock/subsys/bitcoind` (CentOS)
|
||||
|
||||
The configuration file, PID directory (if applicable) and data directory
|
||||
should all be owned by the bitcoin user and group. It is advised for security
|
||||
reasons to make the configuration file and data directory only readable by the
|
||||
bitcoin user and group. Access to bitcoin-cli and other bitcoind rpc clients
|
||||
can then be controlled by group membership.
|
||||
The PID directory (if applicable) and data directory should both be owned by the
|
||||
bitcoin user and group. It is advised for security reasons to make the
|
||||
configuration file and data directory only readable by the bitcoin user and
|
||||
group. Access to bitcoin-cli and other bitcoind rpc clients can then be
|
||||
controlled by group membership.
|
||||
|
||||
NOTE: When using the systemd .service file, the creation of the aforementioned
|
||||
directories and the setting of their permissions is automatically handled by
|
||||
|
|
Loading…
Reference in a new issue