git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity

fix: remove sudo from apt commands and RestrictSUIDSGID from service
All checks were successful
CI/CD Pipeline / Code Format (push) Successful in 2s
Details
CI/CD Pipeline / Clippy Lints (push) Successful in 1m17s
Details
CI/CD Pipeline / Unit Tests (push) Successful in 56s
Details
CI/CD Pipeline / Security Audit (push) Successful in 15s
Details
CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Successful in 1m57s
Details
CI/CD Pipeline / Build Arch Package (push) Successful in 1m53s
Details
CI/CD Pipeline / Build Alpine Package (push) Successful in 3m17s
Details
CI/CD Pipeline / Build RPM Package (push) Successful in 3m36s
Details
CI/CD Pipeline / Build Debian Package (push) Successful in 2m11s
Details

Browse Source 
- Remove sudo from apt command execution (service runs as root)
- Remove RestrictSUIDSGID from systemd service (blocks setuid for apt/dpkg)
- Remove NoNewPrivileges from systemd service (blocks sudo PERM_SUDOERS)
- Bump version to 0.3.2
This commit is contained in:
Echo
2026-05-03 02:24:52 +00:00
parent 2b35a143da
commit 9e42f32270
6 changed files with 16 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
configs/linux-patch-api.service
View File

@ -17,7 +17,6 @@ RuntimeDirectory=linux-patch-api
RuntimeDirectoryMode=0755
# Security hardening
NoNewPrivileges=true
# Allow reboot capability for scheduled reboots
CapabilityBoundingSet=CAP_SYS_BOOT
AmbientCapabilities=CAP_SYS_BOOT
@ -37,7 +36,7 @@ RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=false
RestrictRealtime=true
RestrictSUIDSGID=true
# RestrictSUIDSGID removed - package management requires setuid/setgid for apt/dpkg
RemoveIPC=true
# System call filtering (whitelist approach)