fix: add debian-tor group to backend service for onion address access
The backend couldn't read Tor hidden service hostnames because the systemd service only had SupplementaryGroups=dialout. Adding debian-tor allows the backend to read /var/lib/tor/hidden_service_*/hostname without needing sudo (which is blocked by NoNewPrivileges=yes). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
ffeb49e608
commit
c191dddd2b
@ -30,7 +30,7 @@ ReadWritePaths=/var/lib/archipelago /etc/containers /var/lib/containers /run/con
|
|||||||
# Privilege restriction — restored with rootless podman (no sudo needed)
|
# Privilege restriction — restored with rootless podman (no sudo needed)
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
PrivateDevices=no
|
PrivateDevices=no
|
||||||
SupplementaryGroups=dialout
|
SupplementaryGroups=dialout debian-tor
|
||||||
|
|
||||||
# Network restriction (allow only IPv4/IPv6 + Unix sockets)
|
# Network restriction (allow only IPv4/IPv6 + Unix sockets)
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user