From 24b2e02ee558ec8cbe4ed7b362a4d1065e573587 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 9 Oct 2019 18:04:28 -0700 Subject: [PATCH] init/systemd: Re-add ReadWriteDirectories. (#2798) In systemd 231 (https://github.com/systemd/systemd/blob/4f10b80786e8baa1399b6de6111d5b3a16bf99ba/NEWS#L3558-L3565), ReadWriteDirectories was renamed ReadWritePaths. In https://github.com/caddyserver/caddy/pull/2620/files, @aspeteRakete renamed the directive in Caddy's example systemd unit. However, this means that if anyone runs this sytemd unit on a version of systemd older than 231, Caddy will go into a crash loop that hammers Let's Encrypt's servers. That's because the ProtectSystem=full directive prevents writes to all paths that aren't explicitly permitted, and older systemd doesn't see any paths being permitted. To maximize compatibility, I re-add the original ReadWriteDirectories directive. Older systemd will read that; newer systemd will read the newer directive. Both should ignore the directive they do not recognize. Another approach to solve this problem would be to remove ProtectSystem=true, originally introduced in da8ae9e5. That would reduce the risk of similar breakages in the future. It would make for a slightly less "exemplary" systemd unit, but I think it would still be adequate, given that this unit runs caddy as "www-data", a user the presumably has low privileges. --- dist/init/linux-systemd/caddy.service | 1 + 1 file changed, 1 insertion(+) diff --git a/dist/init/linux-systemd/caddy.service b/dist/init/linux-systemd/caddy.service index 55251fb8b..07cfeb6ff 100644 --- a/dist/init/linux-systemd/caddy.service +++ b/dist/init/linux-systemd/caddy.service @@ -44,6 +44,7 @@ ProtectSystem=full ; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there. ; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! ReadWritePaths=/etc/ssl/caddy +ReadWriteDirectories=/etc/ssl/caddy ; The following additional security directives only work with systemd v229 or later. ; They further restrict privileges that can be gained by caddy. Uncomment if you like.