upstream/wesnoth
1
0
Fork 0
mirror of https://github.com/wesnoth/wesnoth synced 2025-05-21 01:49:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
wesnoth/packaging/systemd/wesnothd.service.in
Severin Glöckner d6d2a4f996 systemd: drop _ prefix from username 
man 5 sysuses.d recommends:
It is strongly recommended to pick user and group names that are unlikely to clash with normal users created by the administrator.
A good scheme to guarantee this is by prefixing all system and group names with the underscore, and avoiding too generic names.

Looks better without underscore. wesnoth is unique enough to not clash, most daemons on Arch don't have an underscore either.

The group is created implicitely when the user is created.
2024-01-18 01:27:01 +01:00

48 lines
1.4 KiB
SYSTEMD
Raw Blame History

[Unit]
Description=Wesnoth@BINARY_SUFFIX@ Multiplayer Server Daemon
Documentation=https://www.wesnoth.org/wiki/ServerAdministration
Documentation=man:wesnothd(6)
After=network.target
# Other wesnothd installations use the same port by default
# Conflicts=wesnothd-1.12.service wesnothd-1.10.service
[Service]
# If wesnothd is started from within the game it runs under a different user
# Deleting the pipe resets owner, group and mode
ExecStartPre=/bin/rm -f @FIFO_DIR@/socket
ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/wesnothd@BINARY_SUFFIX@ -t 2 -T 5
# You can use -c to specify the same configuration file
# which is used when starting wesnothd from within the wesnoth UI
# e.g. -c /home/user/.local/share/wesnoth/1.14/lan_server.cfg
# (and make sure wesnothd has the required access permissions)
ExecReload=/bin/kill -s SIGHUP $MAINPID
ExecStopPost=/bin/rm -f @FIFO_DIR@/socket
SyslogIdentifier=Wesnothd@BINARY_SUFFIX@
WorkingDirectory=@FIFO_DIR@
User=wesnoth
# Additional security-related features
# (when using the -c option, do not use ProtectHome)
ProtectHome=yes
ProtectSystem=strict
ReadWritePaths=@FIFO_DIR@
PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictRealtime=yes
MemoryDenyWriteExecute=yes
SystemCallArchitectures=native
ProtectControlGroups=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
RestrictNamespaces=yes
LockPersonality=yes
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink