init/systemd: Re-add ReadWriteDirectories. (#2798)

In systemd 231 (4f10b80786/NEWS (L3558-L3565)), ReadWriteDirectories was renamed ReadWritePaths. In https://github.com/caddyserver/caddy/pull/2620/files, @aspeteRakete renamed the directive in Caddy's example systemd unit. However, this means that if anyone runs this sytemd unit on a version of systemd older than 231, Caddy will go into a crash loop that hammers Let's Encrypt's servers. That's because the ProtectSystem=full directive prevents writes to all paths that aren't explicitly permitted, and older systemd doesn't see any paths being permitted. To maximize compatibility, I re-add the original ReadWriteDirectories directive. Older systemd will read that; newer systemd will read the newer directive. Both should ignore the directive they do not recognize. Another approach to solve this problem would be to remove ProtectSystem=true, originally introduced in da8ae9e5. That would reduce the risk of similar breakages in the future. It would make for a slightly less "exemplary" systemd unit, but I think it would still be adequate, given that this unit runs caddy as "www-data", a user the presumably has low privileges.
2024-11-25 09:40:13 +08:00 · 2019-10-09 18:04:28 -07:00 · 2019-10-09 18:04:28 -07:00 · 24b2e02ee5
commit 24b2e02ee5
parent be2fdb6af6
1 changed files with 1 additions and 0 deletions
--- a/dist/init/linux-systemd/caddy.service
+++ b/dist/init/linux-systemd/caddy.service
@ -44,6 +44,7 @@ ProtectSystem=full
 ; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
 ;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
 ReadWritePaths=/etc/ssl/caddy
+ReadWriteDirectories=/etc/ssl/caddy

 ; The following additional security directives only work with systemd v229 or later.
 ; They further restrict privileges that can be gained by caddy. Uncomment if you like.