oss/Radicale
oss/Radicale
1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-06-29 16:55:32 +00:00
Code Wiki Activity

Improve security for systemd and daemonization

Browse source
This commit is contained in:
Unrud 2017-06-10 18:28:54 +02:00 committed by GitHub
parent 326859e53e
commit b3a5371e06
1 changed files with 25 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

29
setup.md
View file

@ -159,24 +159,42 @@ $ journalctl --user --unit radicale.service
### Linux with systemd system-wide ### Linux with systemd system-wide
Create the **radicale** user and group for the Radicale service. Create the **radicale** user and group for the Radicale service.
The configuration files must be readable by this user and the storage folder (Run `useradd --system --home-dir / --shell /sbin/nologin radicale` as root.)
must be writable. The storage folder must be writable by **radicale**. (Run
`mkdir -p /var/lib/radicale && chown -R radicale:radicale /var/lib/radicale`
as root.)
Create the file `/etc/systemd/system/radicale.service`: Create the file `/etc/systemd/system/radicale.service`:
```ini ```ini
[Unit] [Unit]
Description=A simple CalDAV (calendar) and CardDAV (contact) server Description=A simple CalDAV (calendar) and CardDAV (contact) server
After=network.target
Requires=network.target
[Service] [Service]
ExecStart=/usr/bin/env python3 -m radicale ExecStart=/usr/bin/env python3 -m radicale
Restart=on-failure Restart=on-failure
User=radicale User=radicale
# Optional security settings
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
NoNewPrivileges=true
ReadWritePaths=/var/lib/radicale
# Deny other users access to the calendar data
#UMask=0027
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
``` ```
You may have to add addition command line arguments to Radicale for the Radicale will load the configuration file from `/etc/radicale/config`.
configuration file, etc. Other users can read your calendar data. To prevent this, uncomment the
`UMask=0027` line in your service file and protect the files that are
already created. (Run `chmod -R o= /var/lib/radicale` as root.)
To enable and manage the service run: To enable and manage the service run:
```shell ```shell
@ -205,6 +223,9 @@ After daemonization the server will not log anything. You have to configure
If you start Radicale now, it will initialize and fork into the background. If you start Radicale now, it will initialize and fork into the background.
The main process exits, after the PID file is written. The main process exits, after the PID file is written.
You can set the **umask** with `umask 0027` before you start the daemon, to
protect your calendar data from other users.
## Windows with "NSSM - the Non-Sucking Service Manager" ## Windows with "NSSM - the Non-Sucking Service Manager"
First install [NSSM](https://nssm.cc/) and start `nssm install` in a command First install [NSSM](https://nssm.cc/) and start `nssm install` in a command