Fix systemd service to allow sudo for shutdown/reboot commands
Disabled NoNewPrivileges security restriction to allow the service to execute sudo commands for system shutdown and reboot. Also expanded PATH to include /sbin and /usr/sbin directories. Changes: - Commented out NoNewPrivileges=true to allow sudo privilege escalation - Added /sbin and /usr/sbin to PATH environment variable - Keeps other security hardening (PrivateTmp, user/group isolation) Why this is needed: The NoNewPrivileges flag prevents any process from gaining additional privileges, which blocks sudo even with proper sudoers configuration. This is safe to disable for this use case because: 1. Service runs as specific user (berwn) 2. Sudoers file restricts to only /sbin/shutdown and /sbin/reboot 3. No other privilege escalation paths in the application This fixes the issue where reboot works with 'make start' but not as a systemd service. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -8,13 +8,13 @@ Type=simple
|
|||||||
User=berwn
|
User=berwn
|
||||||
Group=berwn
|
Group=berwn
|
||||||
WorkingDirectory=/home/berwn/wedding-phone
|
WorkingDirectory=/home/berwn/wedding-phone
|
||||||
Environment="PATH=/home/berwn/.local/bin:/usr/local/bin:/usr/bin:/bin"
|
Environment="PATH=/home/berwn/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
ExecStart=/home/berwn/.local/bin/uv run --no-project python rotary_phone_web.py
|
ExecStart=/home/berwn/.local/bin/uv run --no-project python rotary_phone_web.py
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=10
|
RestartSec=10
|
||||||
|
|
||||||
# Security hardening
|
# Security hardening
|
||||||
NoNewPrivileges=true
|
# NoNewPrivileges=true # Disabled to allow sudo for shutdown/reboot commands
|
||||||
PrivateTmp=true
|
PrivateTmp=true
|
||||||
|
|
||||||
# Allow GPIO access
|
# Allow GPIO access
|
||||||
|
|||||||
Reference in New Issue
Block a user