From: Ben Harris <bjh21@bjh21.me.uk>
Date: Sun, 16 Dec 2018 19:24:46 +0000 (+0000)
Subject: clunk.service: stop running clunk as root.
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~bjharris/git?a=commitdiff_plain;h=1a91a132994fe8c402e4bf22fdc4421ddde683cb;p=clunk.git

clunk.service: stop running clunk as root.

A combination of DynamicUser, SupplementaryGroups, an StateDirectory
allows it to have close to the minimum necessary privilege.
---

diff --git a/clunk.service b/clunk.service
index 510c3fe..398af7a 100644
--- a/clunk.service
+++ b/clunk.service
@@ -1,10 +1,13 @@
-# systemd unit file for clunk(8)
+# Example systemd unit file for clunk(8) on Raspbian
 [Unit]
 Description=pulse clock driver (clunk)
 Documentation=man:clunk(8)
 
 [Service]
-ExecStart=clunk -f /var/lib/clunk.state -C pinctrl-bcm2835 -L 17
+DynamicUser=true
+SupplementaryGroups=gpio
+StateDirectory=clunk
+ExecStart=clunk -f /var/lib/clunk/clunk.state -C pinctrl-bcm2835 -L 17
 
 [Install]
 WantedBy=multi-user.target