From bbd575ed23cf9e27a1b43007875568fba8458694 Mon Sep 17 00:00:00 2001 From: Tom Vincent Date: Fri, 26 Nov 2021 18:49:50 +0000 Subject: [PATCH] Harden systemd service, update restart policy (#888) --- CHANGELOG.md | 1 + contrib/librespot.service | 8 ++++---- contrib/librespot.user.service | 2 ++ 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb800c00..7ffd99cf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [main] Enforce reasonable ranges for option values (breaking). - [main] Don't evaluate options that would otherwise have no effect. - [playback] `alsa`: Improve `--device ?` functionality for the alsa backend. +- [contrib] Hardened security of the systemd service units ### Added - [cache] Add `disable-credential-cache` flag (breaking). diff --git a/contrib/librespot.service b/contrib/librespot.service index 76037c8c..2c92a149 100644 --- a/contrib/librespot.service +++ b/contrib/librespot.service @@ -2,12 +2,12 @@ Description=Librespot (an open source Spotify client) Documentation=https://github.com/librespot-org/librespot Documentation=https://github.com/librespot-org/librespot/wiki/Options -Requires=network-online.target -After=network-online.target +Wants=network.target sound.target +After=network.target sound.target [Service] -User=nobody -Group=audio +DynamicUser=yes +SupplementaryGroups=audio Restart=always RestartSec=10 ExecStart=/usr/bin/librespot --name "%p@%H" diff --git a/contrib/librespot.user.service b/contrib/librespot.user.service index a676dde0..36f7f8c9 100644 --- a/contrib/librespot.user.service +++ b/contrib/librespot.user.service @@ -2,6 +2,8 @@ Description=Librespot (an open source Spotify client) Documentation=https://github.com/librespot-org/librespot Documentation=https://github.com/librespot-org/librespot/wiki/Options +Wants=network.target sound.target +After=network.target sound.target [Service] Restart=always