grabowski/wedding-phone
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix systemd service to allow sudo for shutdown/reboot commands

Browse Source 
Disabled NoNewPrivileges security restriction to allow the service to
execute sudo commands for system shutdown and reboot. Also expanded PATH
to include /sbin and /usr/sbin directories.

Changes:
- Commented out NoNewPrivileges=true to allow sudo privilege escalation
- Added /sbin and /usr/sbin to PATH environment variable
- Keeps other security hardening (PrivateTmp, user/group isolation)

Why this is needed:
The NoNewPrivileges flag prevents any process from gaining additional
privileges, which blocks sudo even with proper sudoers configuration.
This is safe to disable for this use case because:
1. Service runs as specific user (berwn)
2. Sudoers file restricts to only /sbin/shutdown and /sbin/reboot
3. No other privilege escalation paths in the application

This fixes the issue where reboot works with 'make start' but not as
a systemd service.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Alexander Grabowski
2025-10-29 17:48:07 +07:00
parent 416d437aef
commit 86b2770d3e
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
wedding-phone.service
View File

@@ -8,13 +8,13 @@ Type=simple
User=berwn
Group=berwn
WorkingDirectory=/home/berwn/wedding-phone
Environment="PATH=/home/berwn/.local/bin:/usr/local/bin:/usr/bin:/bin"
Environment="PATH=/home/berwn/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
ExecStart=/home/berwn/.local/bin/uv run --no-project python rotary_phone_web.py
Restart=always
RestartSec=10
# Security hardening
NoNewPrivileges=true
# NoNewPrivileges=true # Disabled to allow sudo for shutdown/reboot commands
PrivateTmp=true
# Allow GPIO access