fsebugoutzone.org:9999

       Post Ad6Xa3v6EbgiAv2MxU by __Styx__@piaille.fr
 (DIR) More posts by __Styx__@piaille.fr
 (DIR) Post #Ad6S100iHKEo8z7lTc by duponin@udongein.xyz
       2023-12-23T13:56:36.656891Z
       
       0 likes, 2 repeats
       
       systemd help welcomeI&#39;ve created a unit for a service, in which it should be able to read/write a file under /srv/foo/bar.txtdirectory foo is 755, and bar.txt is root:root 777the unit has the significant following things:DynamicUser=yesWorkingDirectory=/srv/foohowever, I have following error:open /srv/foo/bar.txt: read-only file system:cirno_help:
       
 (DIR) Post #Ad6SI05RFSHnIrRQAq by duponin@udongein.xyz
       2023-12-23T13:59:38.439443Z
       
       0 likes, 0 repeats
       
       @GNUxeava systemctl start foo.service
       
 (DIR) Post #Ad6T5kL04pC0wCROb2 by null31@pl.gnu.moe
       2023-12-23T14:08:50.104488Z
       
       0 likes, 0 repeats
       
       @duponin are you using sandboxing?Maybe you should include ReadWritePaths=/srv/foohttps://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing
       
 (DIR) Post #Ad6TA9ebtS5gc4iPZ2 by tusooa@kazv.moe
       2023-12-23T14:09:37.581854Z
       
       0 likes, 0 repeats
       
       @duponin how is /srv/foo mounted? is it mounted as ro? is the service running in a cgroup that makes it ro?
       
 (DIR) Post #Ad6TOOG0Oc4XxSzjIu by duponin@udongein.xyz
       2023-12-23T14:12:03.611271Z
       
       1 likes, 0 repeats
       
       @null31 it works now!thank youI thought WorkingDirectory was enough, but it might not be the right directive
       
 (DIR) Post #Ad6TT94WHXAWJGtDrE by duponin@udongein.xyz
       2023-12-23T14:13:01.503196Z
       
       1 likes, 0 repeats
       
       @tusooa I got help, WorkingDirectory wasn&#39;t the right directive, but ReadWritePath=/foo/bar made it
       
 (DIR) Post #Ad6TuzmUPztpbSji1Q by null31@pl.gnu.moe
       2023-12-23T14:18:07.866205Z
       
       0 likes, 0 repeats
       
       @duponin WorkingDirectory defines the base location for the app, it&#39;s like setting the $HOME.For example this config file /foo/bar/choco.bar:WorkingDirectory=/foo/barExecStart=/usr/local/bin/foo2k --config choco.bar
       
 (DIR) Post #Ad6UE8KAsXXpbNcMBU by duponin@udongein.xyz
       2023-12-23T14:21:18.334874Z
       
       0 likes, 0 repeats
       
       @null31 ah yeah makes sensebut I thought the sandboxing would use it for write-able directoriesbut not doing it makes sense for security
       
 (DIR) Post #Ad6URroP4INGRZJ0wy by chn@xn--s8w913fdga.chn.moe
       2023-12-23T14:22:53.572Z
       
       0 likes, 0 repeats
       
       @duponin@udongein.xyz This is geoipupdate.service on my machine, you could take it as a reference. Maybe the key is ReadWritePaths=/var/lib/GeoIP (I am not sure).[Unit]After=geoipupdate-create-db-dir.service network-online.target nss-lookup.targetDescription=GeoIP UpdaterRequires=geoipupdate-create-db-dir.serviceWants=network-online.target[Service]Environment=&quot;LOCALE_ARCHIVE=/nix/store/9hxgzj21fcgampnblxr8mxq2a0zyd9n3-glibc-locales-2.38-27/lib/locale/locale-archive&quot;Environment=&quot;PATH=/nix/store/mfh25biq2mcs3n8w453pawwgglcg9w5n-replace-secret/bin:/nix/store/7a4gag5q4gvf32qqqz5vscqxvsw968f7-coreutils-9.3/bin:/nix/store/avfv31qk3b062823wp5gl71dj0bknl2c-findutils-4.9.0/bin:/nix/store/ananpyjrvl5i30jsvp0vayzsb66rd5c7-gnugrep-3.11/bin:/nix/store/wdgrd&gt;Environment=&quot;TZDIR=/nix/store/8bx0hqfdnyym36jkz39h76kafj4sj4l4-tzdata-2023c/share/zoneinfo&quot;CapabilityBoundingSet=DynamicUser=trueExecStart=/nix/store/rmc1syprlxshzd9bn5lcdcwmdmii9b26-geoipupdate-6.0.0/bin/geoipupdate -f /run/geoipupdate/GeoIP.confExecStartPre=+/nix/store/1v1cjc5r34dx5xhlba7g5pakkk05ibrj-start-pre-full-privilegesLockPersonality=trueMemoryDenyWriteExecute=truePrivateDevices=truePrivateMounts=truePrivateUsers=trueProcSubset=pidProtectClock=trueProtectControlGroups=trueProtectHome=trueProtectHostname=trueProtectKernelLogs=trueProtectKernelModules=trueProtectKernelTunables=trueProtectProc=invisibleReadWritePaths=/var/lib/GeoIPRestrictAddressFamilies=AF_INETRestrictAddressFamilies=AF_INET6RestrictNamespaces=trueRestrictRealtime=trueRuntimeDirectory=geoipupdateRuntimeDirectoryMode=0700SystemCallArchitectures=nativeSystemCallFilter=@system-serviceSystemCallFilter=~@privilegedUser=geoip
       
 (DIR) Post #Ad6URsxIoh5RzSTdSa by duponin@udongein.xyz
       2023-12-23T14:23:46.507515Z
       
       0 likes, 0 repeats
       
       @chn yeah that&#39;s the ReadWritePaths I needed
       
 (DIR) Post #Ad6Udh4MpngCbLPc6C by null31@pl.gnu.moe
       2023-12-23T14:26:11.972922Z
       
       1 likes, 0 repeats
       
       @duponin yeah, having ProtectSystem enabled make things more tricky about writing and there is ReadWrite and ReadOnly enters as exception for certain paths/files.
       
 (DIR) Post #Ad6VRqueVlofbomljU by __Styx__@piaille.fr
       2023-12-23T14:32:11Z
       
       0 likes, 0 repeats
       
       @duponin Do you have the linux security activated ?Check it with commandsestatusI had a problem recently with it preventing services to access files even when they had rights / ownership to do soIf it is activated googleHow to disable selinux To test it with it disabled for your distro (will necessitate a reboot I think). And if it solve your problem, you should try to configure selinux to allow what you need for your serviceHope it helps you
       
 (DIR) Post #Ad6VRriHXFW05k0P5c by duponin@udongein.xyz
       2023-12-23T14:35:03.925073Z
       
       0 likes, 0 repeats
       
       @__Styx__ ReadWritePaths is what I needed, fixed by now
       
 (DIR) Post #Ad6VWko6dhDA7Y3pjc by duponin@udongein.xyz
       2023-12-23T14:35:11.301668Z
       
       0 likes, 0 repeats
       
       @GNUxeava ReadWritePaths is what I needed, fixed by now
       
 (DIR) Post #Ad6Xa3v6EbgiAv2MxU by __Styx__@piaille.fr
       2023-12-23T14:58:30Z
       
       1 likes, 0 repeats
       
       @duponin happy for you then Have a nice weekend coding / conf-ing