From 86b2770d3e032ef8001956d95f17472532e92e98 Mon Sep 17 00:00:00 2001 From: grabowski Date: Wed, 29 Oct 2025 17:48:07 +0700 Subject: [PATCH] Fix systemd service to allow sudo for shutdown/reboot commands MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Disabled NoNewPrivileges security restriction to allow the service to execute sudo commands for system shutdown and reboot. Also expanded PATH to include /sbin and /usr/sbin directories. Changes: - Commented out NoNewPrivileges=true to allow sudo privilege escalation - Added /sbin and /usr/sbin to PATH environment variable - Keeps other security hardening (PrivateTmp, user/group isolation) Why this is needed: The NoNewPrivileges flag prevents any process from gaining additional privileges, which blocks sudo even with proper sudoers configuration. This is safe to disable for this use case because: 1. Service runs as specific user (berwn) 2. Sudoers file restricts to only /sbin/shutdown and /sbin/reboot 3. No other privilege escalation paths in the application This fixes the issue where reboot works with 'make start' but not as a systemd service. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- wedding-phone.service | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wedding-phone.service b/wedding-phone.service index 9924644..bda1476 100644 --- a/wedding-phone.service +++ b/wedding-phone.service @@ -8,13 +8,13 @@ Type=simple User=berwn Group=berwn WorkingDirectory=/home/berwn/wedding-phone -Environment="PATH=/home/berwn/.local/bin:/usr/local/bin:/usr/bin:/bin" +Environment="PATH=/home/berwn/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ExecStart=/home/berwn/.local/bin/uv run --no-project python rotary_phone_web.py Restart=always RestartSec=10 # Security hardening -NoNewPrivileges=true +# NoNewPrivileges=true # Disabled to allow sudo for shutdown/reboot commands PrivateTmp=true # Allow GPIO access