grabowski
86b2770d3e
Disabled NoNewPrivileges security restriction to allow the service to execute sudo commands for system shutdown and reboot. Also expanded PATH to include /sbin and /usr/sbin directories. Changes: - Commented out NoNewPrivileges=true to allow sudo privilege escalation - Added /sbin and /usr/sbin to PATH environment variable - Keeps other security hardening (PrivateTmp, user/group isolation) Why this is needed: The NoNewPrivileges flag prevents any process from gaining additional privileges, which blocks sudo even with proper sudoers configuration. This is safe to disable for this use case because: 1. Service runs as specific user (berwn) 2. Sudoers file restricts to only /sbin/shutdown and /sbin/reboot 3. No other privilege escalation paths in the application This fixes the issue where reboot works with 'make start' but not as a systemd service. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
25 lines
644 B
Desktop File
25 lines
644 B
Desktop File
[Unit]
|
|
Description=Wedding Phone - Vintage Rotary Phone Audio System
|
|
After=network.target sound.target
|
|
Wants=network.target sound.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=berwn
|
|
Group=berwn
|
|
WorkingDirectory=/home/berwn/wedding-phone
|
|
Environment="PATH=/home/berwn/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
ExecStart=/home/berwn/.local/bin/uv run --no-project python rotary_phone_web.py
|
|
Restart=always
|
|
RestartSec=10
|
|
|
|
# Security hardening
|
|
# NoNewPrivileges=true # Disabled to allow sudo for shutdown/reboot commands
|
|
PrivateTmp=true
|
|
|
|
# Allow GPIO access
|
|
SupplementaryGroups=gpio audio
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|