fix(packaging): run service as root for packet capture
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
- Change systemd service to run as root instead of ja4sentinel user - Remove user/group creation from RPM spec (%pre script) - Update %post to set root:root ownership on directories - Adjust security hardening for root execution (ProtectSystem=strict) - Add ReadWritePaths for writable directories Fixes: systemd error 'Failed at step USER spawning /usr/bin/ja4sentinel: No such process' Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
This commit is contained in:
Jacquin Antoine
@ -6,17 +6,16 @@ Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=ja4sentinel
|
||||
Group=ja4sentinel
|
||||
User=root
|
||||
Group=root
|
||||
WorkingDirectory=/var/lib/ja4sentinel
|
||||
ExecStart=/usr/bin/ja4sentinel --config /etc/ja4sentinel/config.yml
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
Environment=JA4SENTINEL_LOG_LEVEL=info
|
||||
|
||||
# Security hardening
|
||||
NoNewPrivileges=yes
|
||||
ProtectSystem=full
|
||||
# Security hardening (compatible with root for packet capture)
|
||||
ProtectSystem=strict
|
||||
ProtectHome=yes
|
||||
PrivateTmp=yes
|
||||
ProtectKernelTunables=yes
|
||||
@ -24,10 +23,10 @@ ProtectKernelModules=yes
|
||||
ProtectControlGroups=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
LockPersonality=yes
|
||||
ReadWritePaths=/var/lib/ja4sentinel /var/log/ja4sentinel
|
||||
|
||||
# Capabilities for packet capture
|
||||
# Capabilities for packet capture (inherited by root)
|
||||
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
|
||||
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
|
||||
|
||||
|
||||
Reference in New Issue
Block a user