On May 02, Marco d'Itri <m...@linux.it> wrote: > > Adding this to exabgp.service will take care of it. > Do you have any plans to fix this? As far as I can see exabgp is broken > out of the box. I have wasted a couple of hours today because the version currently in testing is broken in a different way and it crashes with Python tracebacks due to /run/exabgp/ != /run/. The exabgp package is not fit to be released.
PermissionsStartOnly and all the ExecStartPre directives in the systemd unit must be replaced with: User=exabgp Group=exabgp RuntimeDirectory=exabgp RuntimeDirectoryMode=0750 ExecStartPre=-/usr/bin/mkfifo /run/exabgp/exabgp.in ExecStartPre=-/usr/bin/mkfifo /run/exabgp/exabgp.out This is all that is needed to securely create the pipes. Optionally, add hardening: ProtectSystem=strict ProtectHome=yes PrivateDevices=yes PrivateTmp=yes ProtectKernelTunables=yes ProtectControlGroups=yes ProtectKernelModules=yes NoNewPrivileges=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes LockPersonality=yes MemoryDenyWriteExecute=yes SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service -- ciao, Marco
signature.asc
Description: PGP signature