fixup! Fix: The Kubo IPFS service was not hardened

aleph-im · Sep 26, 2023 · 679f865 · 679f865
1 parent f6880ca
commit 679f865
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/packaging/aleph-vm/etc/systemd/system/ipfs.service b/packaging/aleph-vm/etc/systemd/system/ipfs.service
@@ -25,6 +25,7 @@ After=network.target
 
 [Service]
 # hardening
+ReadOnlyPaths="/opt/kubo/"
 ReadWritePaths="/var/lib/ipfs/"
 NoNewPrivileges=true
 ProtectSystem=strict
@@ -70,8 +71,7 @@ TimeoutStartSec=infinity
 Type=notify
 User=ipfs
 Group=ipfs
-StateDirectory=ipfs
-Environment=IPFS_PATH="${HOME}"
+Environment=IPFS_PATH="/var/lib/ipfs"
 ExecStart=/opt/kubo/ipfs daemon --init --migrate --init-profile=server
 Restart=on-failure
 KillSignal=SIGINT