Let systemd create directories

Manually creating directories conflicts with systemd service hardening features. Particularly, `ProtectSystem=strict` mounts the filesystem as read-only for the processes started by the unit which leads to `mkdir` failing. By setting `User=mosquitto` and adding `RuntimeDirectory` and `LogsDirectory`, systemd creates `/run/mosquitto` and `/var/log/mosquitto` with the right permissions even `ProtectSystem=strict` is used. Signed-off-by: Guillaume Champagne <[email protected]>
eclipse-mosquitto · Oct 4, 2024 · cb4d276 · cb4d276
1 parent 18fdad5
commit cb4d276
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 8 deletions.
diff --git a/service/systemd/mosquitto.service.notify b/service/systemd/mosquitto.service.notify
@@ -5,15 +5,14 @@ After=network.target
 Wants=network.target
 
 [Service]
+User=mosquitto
 Type=notify
 NotifyAccess=main
 ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-failure
-ExecStartPre=/bin/mkdir -m 740 -p /var/log/mosquitto
-ExecStartPre=/bin/chown mosquitto:mosquitto /var/log/mosquitto
-ExecStartPre=/bin/mkdir -m 740 -p /run/mosquitto
-ExecStartPre=/bin/chown mosquitto:mosquitto /run/mosquitto
+RuntimeDirectory=mosquitto
+LogsDirectory=mosquitto
 
 [Install]
 WantedBy=multi-user.target
diff --git a/service/systemd/mosquitto.service.simple b/service/systemd/mosquitto.service.simple
@@ -5,13 +5,12 @@ After=network.target
 Wants=network.target
 
 [Service]
+User=mosquitto
 ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-failure
-ExecStartPre=/bin/mkdir -m 740 -p /var/log/mosquitto
-ExecStartPre=/bin/chown mosquitto:mosquitto /var/log/mosquitto
-ExecStartPre=/bin/mkdir -m 740 -p /run/mosquitto
-ExecStartPre=/bin/chown mosquitto:mosquitto /run/mosquitto
+RuntimeDirectory=mosquitto
+LogsDirectory=mosquitto
 
 [Install]
 WantedBy=multi-user.target