Fossil SCM
Mention the systemd sandboxing in the CGI documentation.
Commit
69d43cc15e4f864fc28ca7ecfc4d38e8ee0b5cb4073649b42435dbaf94ac583b
Parent
cb5edcab07be198…
1 file changed
+3
-1
+3
-1
| --- www/server/any/cgi.md | ||
| +++ www/server/any/cgi.md | ||
| @@ -38,11 +38,13 @@ | ||
| 38 | 38 | (This might differ from the user the web server normally runs |
| 39 | 39 | under.) The directory holding the repository file(s) needs to be |
| 40 | 40 | writable so that SQLite can write its journal files. When using |
| 41 | 41 | another access control system, such as AppArmor or SELinux, it may |
| 42 | 42 | be necessary to explicitly permit that account to read and write |
| 43 | - the necessary files. | |
| 43 | + the necessary files. Also verify a possible _systemd_ sandboxing of | |
| 44 | + the web server service, especially the combination of _ProtectSystem_, | |
| 45 | + _ProtectHome_, and _ReadWriteDirectories_/_ReadWritePaths_. | |
| 44 | 46 | |
| 45 | 47 | * Fossil must be able to create temporary files in a |
| 46 | 48 | [directory that varies by host OS](../../env-opts.md#temp). When the |
| 47 | 49 | CGI process is operating [within a chroot](../../chroot.md), |
| 48 | 50 | ensure that this directory exists and is readable/writeable by the |
| 49 | 51 |
| --- www/server/any/cgi.md | |
| +++ www/server/any/cgi.md | |
| @@ -38,11 +38,13 @@ | |
| 38 | (This might differ from the user the web server normally runs |
| 39 | under.) The directory holding the repository file(s) needs to be |
| 40 | writable so that SQLite can write its journal files. When using |
| 41 | another access control system, such as AppArmor or SELinux, it may |
| 42 | be necessary to explicitly permit that account to read and write |
| 43 | the necessary files. |
| 44 | |
| 45 | * Fossil must be able to create temporary files in a |
| 46 | [directory that varies by host OS](../../env-opts.md#temp). When the |
| 47 | CGI process is operating [within a chroot](../../chroot.md), |
| 48 | ensure that this directory exists and is readable/writeable by the |
| 49 |
| --- www/server/any/cgi.md | |
| +++ www/server/any/cgi.md | |
| @@ -38,11 +38,13 @@ | |
| 38 | (This might differ from the user the web server normally runs |
| 39 | under.) The directory holding the repository file(s) needs to be |
| 40 | writable so that SQLite can write its journal files. When using |
| 41 | another access control system, such as AppArmor or SELinux, it may |
| 42 | be necessary to explicitly permit that account to read and write |
| 43 | the necessary files. Also verify a possible _systemd_ sandboxing of |
| 44 | the web server service, especially the combination of _ProtectSystem_, |
| 45 | _ProtectHome_, and _ReadWriteDirectories_/_ReadWritePaths_. |
| 46 | |
| 47 | * Fossil must be able to create temporary files in a |
| 48 | [directory that varies by host OS](../../env-opts.md#temp). When the |
| 49 | CGI process is operating [within a chroot](../../chroot.md), |
| 50 | ensure that this directory exists and is readable/writeable by the |
| 51 |