Hello,
ooh man i got confused because i had also troube with logrotate service. There
was Protectsystem=full not in the openvpn@service
systemctl cat openvpn@<conf>
# [Service]
# Type=notify
# PrivateTmp=true
# WorkingDirectory=/etc/openvpn
# ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status
10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid
/run/openvpn/%i.pid
# PIDFile=/run/openvpn/%i.pid
[..]
# DeviceAllow=/dev/null rw
# DeviceAllow=/dev/net/tun rw
# ProtectSystem=true
# ProtectHome=true
so no outbreak.... :facepalm:
Kind regards
On 25.06.25 13:15, Andy Smith wrote:
Hi,
On Wed, Jun 25, 2025 at 11:33:02AM +0200, Philipp Ewald wrote:
ProtectSystem=full should be read-only /etc
what is the point of this settig if the process still can write there?
The "full" setting is indeed meant to keep the whole filesystem
read-only for that service, except /dev, /proc, and /sys, so if yours
isn't then there is something else going on.
It doesn't work for user services (i.e. services started with --user
option).
It doesn't work if your kernel doesn't support filesystem namespaces,
which can happen if you have systemd running inside some other
container.
ReadWritePaths= can be used to add paths that can be written to, so
check there isn't one of those.
Otherwise there is some other issue, or a bug.
Thanks,
Andy
--
Philipp Ewald
Administrator
DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln
Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de
AG Köln HRB 27711, St.-Nr. 5215 5811 0640
Geschäftsführer: Werner Grafenhain
Informationen zum Datenschutz: www.digionline.de/ds
