also recommended: AmbientCapabilities. For example, I use this configuration to run backups, with a normal user that gets the "read all files capability":
User=backup
AmbientCapabilities=CAP_DAC_READ_SEARCH
The service also makes the system read-only for itself, apart from /var/lib/backup and a private /tmp:
ProtectSystem=strict
ReadWritePaths=/var/lib/backup
PrivateTmp=true
#systemd
neini /
npub1tr…c0ya9
2024-06-21 15:24:52
in reply to nevent1q…mft4
Author Public Key
npub1trp5d78kkmgh77s87q8djpgzmyuzyfwxrys9wdgc6c5zf45swgssec0ya9Published at
2024-06-21 15:24:52Event JSON
{
"id": "0be17f649844eb308ddbd80aaf82848c0e4bd3ccc01262cb4e9824b0cde6df73",
"pubkey": "58c346f8f6b6d17f7a07f00ed90502d9382225c61920573518d62824d6907221",
"created_at": 1718983492,
"kind": 1,
"tags": [
[
"p",
"58c346f8f6b6d17f7a07f00ed90502d9382225c61920573518d62824d6907221"
],
[
"t",
"systemd"
],
[
"e",
"abe8225fc830574b568c51a385ef3a0c0c799a7c9b7dc7e3660a0a168c16ed22",
"",
"root"
],
[
"proxy",
"https://mastodon.social/@neingeist/112655302154033450",
"web"
],
[
"e",
"28bf7db0b2f8d6454f494bcd38f35d2705d657de6bcbbe508485ce7555249a23",
"",
"reply"
],
[
"p",
"a071462e960207a7a2272a3f59d042e59623bb2217b56f9365cba21e12213e3e"
],
[
"proxy",
"https://mastodon.social/users/neingeist/statuses/112655302154033450",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://mastodon.social/users/neingeist/statuses/112655302154033450",
"pink.momostr"
]
],
"content": "also recommended: AmbientCapabilities. For example, I use this configuration to run backups, with a normal user that gets the \"read all files capability\":\n\nUser=backup\nAmbientCapabilities=CAP_DAC_READ_SEARCH\n\nThe service also makes the system read-only for itself, apart from /var/lib/backup and a private /tmp:\n\nProtectSystem=strict\nReadWritePaths=/var/lib/backup\nPrivateTmp=true\n\n#systemd",
"sig": "e758bea8e6b4f47ee38ae17d2024f709bf97fbbf5c9e89420d06008b9f7c32c139a33f1749b0fbde0994a12c771e994e8d008b104b052a59d4e94c0198208caf"
}