Skip to content

Commit

Permalink
Make systemd use 0700 mode on cache folders
Browse files Browse the repository at this point in the history 
The provided gssproxy.service unit configures /var/lib/gssproxy/clients
and /var/lib/gssproxy/rcache as "StateDirectory". However, systemd
applies mode 0755 by default on such folders. "StateDirectoryMode" has
to be set too to restrict access to root only.

Signed-off-by: Julien Rische <jrische@redhat.com>
  • Loading branch information
@jrisc
jrisc committed Aug 7, 2024
1 parent 5ce6448 commit 8ae192a
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions systemd/gssproxy.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ Before=rpc-gssd.service
[Service]
ConfigurationDirectory=gssproxy
StateDirectory=gssproxy gssproxy/clients gssproxy/rcache
StateDirectoryMode=0700
Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache
ExecStart=@sbindir@/gssproxy -i
# This can be changed to notify-reload and ExecReload= can be removed once
Expand Down

0 comments on commit 8ae192a

Please sign in to comment.