From: Wayne Davison Date: Wed, 1 Jul 2020 17:40:02 +0000 (-0700) Subject: Don't set systemd ProtectHome=on by default. X-Git-Tag: v3.2.2~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce12142c459788b611da5f5d525e0486822b043a;p=thirdparty%2Frsync.git Don't set systemd ProtectHome=on by default. --- diff --git a/NEWS.md b/NEWS.md index 2b192b38..e30d9903 100644 --- a/NEWS.md +++ b/NEWS.md @@ -39,6 +39,11 @@ Protocol: 31 (unchanged) also allows you to specify the value via the RSYNC_MAX_ALLOC environment variable. + - The default systemd config was changed to remove the `ProtectHome=on` + setting since rsync is often used to serve files in /home and this seemed a + bit too strict. Feel free to use `systemctl edit rsync` to add that + restriction to your own setup, if you like. + - The memory allocation functions now automatically check for a failure and die when out of memory. This eliminated some caller-side check-and-die code and added some missing sanity-checking of allocations. @@ -98,6 +103,11 @@ Protocol: 31 (unchanged) ### ENHANCEMENTS: + - The default systemd config was made a bit stricter by default. For + instance, `ProtectHome=on` was added. You can override this using the + standard `systemctl edit rsync` and add a line to turn that off under a + `[Service]` heading. + - The use of `--backup-dir=STR` now implies `--backup`. - Added `--zl=NUM` as a short-hand for `--compress-level=NUM`. diff --git a/packaging/systemd/rsync.service b/packaging/systemd/rsync.service index fafe72b3..5955db9e 100644 --- a/packaging/systemd/rsync.service +++ b/packaging/systemd/rsync.service @@ -23,7 +23,7 @@ RestartSec=1 # See systemd.unit(5) and search for "drop-in" for full details. ProtectSystem=full -ProtectHome=on +#ProtectHome=on PrivateDevices=on NoNewPrivileges=on diff --git a/packaging/systemd/rsync@.service b/packaging/systemd/rsync@.service index e1f48da8..3168cb61 100644 --- a/packaging/systemd/rsync@.service +++ b/packaging/systemd/rsync@.service @@ -23,6 +23,6 @@ StandardError=journal # See systemd.unit(5) and search for "drop-in" for full details. ProtectSystem=full -ProtectHome=on +#ProtectHome=on PrivateDevices=on NoNewPrivileges=on