diff --git a/CHANGELOG.md b/CHANGELOG.md index bb418b11e..ba96fc44c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. - in case of vulnerabilities. --> +## [future] + +### Changed +- The `AdminListen` option and `yggdrasilctl` now default to `unix:///var/run/yggdrasil/yggdrasil.sock` on Linux + + ## [0.4.2] - 2021-11-03 ### Fixed - Reverted a dependency update which resulted in problems building with Go 1.16 and running on Windows diff --git a/contrib/systemd/yggdrasil.service b/contrib/systemd/yggdrasil.service index cdada6c00..6080a6b07 100644 --- a/contrib/systemd/yggdrasil.service +++ b/contrib/systemd/yggdrasil.service @@ -6,16 +6,25 @@ After=network-online.target After=yggdrasil-default-config.service [Service] -Group=yggdrasil ProtectHome=true ProtectSystem=true SyslogIdentifier=yggdrasil -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE ExecStartPre=+-/sbin/modprobe tun ExecStart=/usr/bin/yggdrasil -useconffile /etc/yggdrasil.conf ExecReload=/bin/kill -HUP $MAINPID Restart=always TimeoutStopSec=5 +Group=yggdrasil +User=yggdrasil-dyn +DynamicUser=true +ProtectSystem=strict +NoNewPrivileges=true +ReadWritePaths=/var/run/yggdrasil /run/yggdrasil + +# make sure /var/run/yggdrasil/ is created writable for the user. +RuntimeDirectory=yggdrasil +# the small list of admin capabilities we need to do our job +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target diff --git a/src/defaults/defaults_linux.go b/src/defaults/defaults_linux.go index c7f5f119b..3741a766f 100644 --- a/src/defaults/defaults_linux.go +++ b/src/defaults/defaults_linux.go @@ -8,7 +8,7 @@ package defaults func GetDefaults() platformDefaultParameters { return platformDefaultParameters{ // Admin - DefaultAdminListen: "unix:///var/run/yggdrasil.sock", + DefaultAdminListen: "unix:///var/run/yggdrasil/yggdrasil.sock", // Configuration (used for yggdrasilctl) DefaultConfigFile: "/etc/yggdrasil.conf",