lfg2025/archy
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases 33 Wiki Activity

fix: add debian-tor group to backend service for onion address access
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 58m25s
Details

Browse Source 
The backend couldn't read Tor hidden service hostnames because the
systemd service only had SupplementaryGroups=dialout. Adding debian-tor
allows the backend to read /var/lib/tor/hidden_service_*/hostname
without needing sudo (which is blocked by NoNewPrivileges=yes).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-30 19:14:27 +01:00
parent ffeb49e608
commit c191dddd2b
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
image-recipe/configs/archipelago.service
View File

@@ -30,7 +30,7 @@ ReadWritePaths=/var/lib/archipelago /etc/containers /var/lib/containers /run/con
# Privilege restriction — restored with rootless podman (no sudo needed)
NoNewPrivileges=yes
PrivateDevices=no
SupplementaryGroups=dialout
SupplementaryGroups=dialout debian-tor
# Network restriction (allow only IPv4/IPv6 + Unix sockets)
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6