From d63bc1578d7fa889ae40b3e1523cae862d76de20 Mon Sep 17 00:00:00 2001 From: outlook84 <96007761+outlook84@users.noreply.github.com> Date: Sun, 17 Aug 2025 19:10:24 +0800 Subject: [PATCH] feat(install): Harden systemd service and fix config ownership This commit enhances security by adding numerous sandboxing and hardening directives to the `xray.service` and `xray@.service` systemd unit files. These changes restrict the process's capabilities and access to the host system, following security best practices. Key additions include `ProtectSystem`, `PrivateTmp`, `SystemCallFilter`, and `RestrictNamespaces` to limit the service's potential impact. Additionally, this fixes a permission issue by correctly setting the ownership of the newly created `config.json` to the service user. --- install-release.sh | 70 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 56 insertions(+), 14 deletions(-) diff --git a/install-release.sh b/install-release.sh index 739d12d..d4c34ab 100755 --- a/install-release.sh +++ b/install-release.sh @@ -495,6 +495,7 @@ install_xray() { if [[ -z "$JSONS_PATH" ]] && [[ ! -d "$JSON_PATH" ]]; then install -d "$JSON_PATH" echo "{}" >"${JSON_PATH}/config.json" + chown "$INSTALL_USER_UID:$INSTALL_USER_GID" "${JSON_PATH}/config.json" CONFIG_NEW='1' fi @@ -526,14 +527,6 @@ install_xray() { install_startup_service_file() { mkdir -p '/etc/systemd/system/xray.service.d' mkdir -p '/etc/systemd/system/xray@.service.d/' - local temp_CapabilityBoundingSet="CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE" - local temp_AmbientCapabilities="AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE" - local temp_NoNewPrivileges="NoNewPrivileges=true" - if [[ "$INSTALL_USER_UID" -eq '0' ]]; then - temp_CapabilityBoundingSet="#${temp_CapabilityBoundingSet}" - temp_AmbientCapabilities="#${temp_AmbientCapabilities}" - temp_NoNewPrivileges="#${temp_NoNewPrivileges}" - fi cat >/etc/systemd/system/xray.service <