[arch-commits] Commit in bitwarden_rs/trunk (3 files)

Daniel M. Capella polyzen at archlinux.org
Tue Nov 24 22:13:57 UTC 2020


    Date: Tuesday, November 24, 2020 @ 22:13:57
  Author: polyzen
Revision: 761016

upgpkg: bitwarden_rs 1.17.0-4: Omit home directory and shell

As recommended in sysusers.d(5).

Also follow option ordering used in systemd unit manuals.

Modified:
  bitwarden_rs/trunk/PKGBUILD
  bitwarden_rs/trunk/bitwarden_rs.service
  bitwarden_rs/trunk/bitwarden_rs.sysusers.conf

----------------------------+
 PKGBUILD                   |    6 ++--
 bitwarden_rs.service       |   60 ++++++++++++++++---------------------------
 bitwarden_rs.sysusers.conf |    2 -
 3 files changed, 27 insertions(+), 41 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2020-11-24 20:51:09 UTC (rev 761015)
+++ PKGBUILD	2020-11-24 22:13:57 UTC (rev 761016)
@@ -4,7 +4,7 @@
 
 pkgname=bitwarden_rs
 pkgver=1.17.0
-pkgrel=3
+pkgrel=4
 pkgdesc='Unofficial Bitwarden compatible server written in Rust'
 arch=('x86_64')
 url=https://github.com/dani-garcia/bitwarden_rs
@@ -20,8 +20,8 @@
         "$pkgname.sysusers.conf"
         "$pkgname.tmpfiles")
 b2sums=('faf4a3e0cba6905547c347bd8d7939e2412116d5c9b226e49cddd04306b6e69e00e1f5d7b1b09493ff02614d5417b34cd9c54cb3efffbf238e23e3f54bacd5d1'
-        '8fc7e0aeed4b17065ddaedad0038e2a635e9bc477170e397a116845249784f3beaa7c241e9706ae64abc1c662eb969ccfa045e21bd805188690bb308e1d88a97'
-        '1c95c3ba5b40508c0b67bec788ea38468baddd5e0e2b20ff78aaeb99cb5d0b93e29995dc4672a96a7be9a3b0d3a5c5a607576a2db01309ff08231eb4b747b659'
+        'c344164792bc9f9d5b485f932d2c476515d783cb54478e60fb8ca3c17f5781e067af0d2dff0670886fd186427c78e986f544f66d34e936db9f719c7f0be156e3'
+        'c44af94e19724ba23a11cec3ccc46ff9db307a058564d539dc533308e75ff43cfb5e42515bd49fdeb86e02cbc7575dc87c3b132d9d28d49f7e8fedab598c06f5'
         'a2a6a128a405b4dbd06eb84c25b1971a5dcab4b918d6fec74da317b76485eda6b4b16ad972a85d9c8267b0a848787761fae75cd6bbb81d970a8cbc8683a2fc42')
 
 prepare() {

Modified: bitwarden_rs.service
===================================================================
--- bitwarden_rs.service	2020-11-24 20:51:09 UTC (rev 761015)
+++ bitwarden_rs.service	2020-11-24 22:13:57 UTC (rev 761016)
@@ -4,66 +4,52 @@
 After=network.target
 
 [Service]
-# The user/group bitwarden_rs is run under. These are created at install, with
-# /var/lib/bitwarden_rs as the home directory
+ExecStart=/usr/bin/bitwarden_rs
+WorkingDirectory=/var/lib/bitwarden_rs
 User=bitwarden_rs
 Group=bitwarden_rs
 
-# The location of the .env file for configuration
-EnvironmentFile=/etc/bitwarden_rs.env
+# Allow bitwarden_rs to bind ports in the range of 0-1024 and restrict it to
+# that capability
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 
-# The location of the compiled binary
-ExecStart=/usr/bin/bitwarden_rs
+# If bitwarden_rs is run at ports >1024, you should apply these options in a
+# drop-in file
+#CapabilityBoundingSet=
+#AmbientCapabilities=
+#PrivateUsers=yes
 
-# Set reasonable connection and process limits
+NoNewPrivileges=yes
+
 LimitNOFILE=1048576
 LimitNPROC=64
+UMask=0077
 
-# Set the working directory (user and password data are stored here) and only
-# allow writes to the following
-WorkingDirectory=~
+ProtectSystem=strict
+ProtectHome=yes
 ReadWritePaths=/var/lib/bitwarden_rs /var/log/bitwarden_rs.log
-
-# Prevent bitwarden_rs from doing anything stupid and/or unneccessary
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
-
 PrivateTmp=yes
 PrivateDevices=yes
-
-ProtectHome=yes
-ProtectSystem=strict
+ProtectHostname=yes
+ProtectClock=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 ProtectKernelLogs=yes
 ProtectControlGroups=yes
-ProtectHostname=yes
-ProtectClock=yes
-
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
-
 RemoveIPC=yes
-UMask=0077
 
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
 SystemCallArchitectures=native
-SystemCallFilter=@system-service
-SystemCallFilter=~@resources
-SystemCallFilter=~@privileged
 
-# Allow bitwarden_rs to bind ports in the range of 0-1024 and restrict it to
-# that capability
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_BIND_SERVICE
+EnvironmentFile=/etc/bitwarden_rs.env
 
-# If bitwarden_rs is run at ports >1024, you should apply these options in a
-# drop-in file
-#PrivateUsers=yes
-#CapabilityBoundingSet=
-#AmbientCapabilities=
-
 [Install]
 WantedBy=multi-user.target

Modified: bitwarden_rs.sysusers.conf
===================================================================
--- bitwarden_rs.sysusers.conf	2020-11-24 20:51:09 UTC (rev 761015)
+++ bitwarden_rs.sysusers.conf	2020-11-24 22:13:57 UTC (rev 761016)
@@ -1 +1 @@
-u bitwarden_rs - "bitwarden_rs user" /var/lib/bitwarden_rs /usr/bin/nologin
+u bitwarden_rs - "bitwarden_rs user"


More information about the arch-commits mailing list