prosody-modules
e977174082ee
misc/systemd/prosody.service

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

File

misc/systemd/prosody.service @ 6193:e977174082ee

mod_invites_register_api: Use set_password() for password resets Previously the code relied on the (weird) behaviour of create_user(), which would update the password for a user account if it already existed. This has several issues, and we plan to deprecate this behaviour of create_user(). The larger issue is that this route does not trigger the user-password-changed event, which can be a security problem. For example, it did not disconnect existing user sessions (this occurs in mod_c2s in response to the event). Switching to set_password() is the right thing to do
author Matthew Wild <mwild1@gmail.com>
date Thu, 06 Feb 2025 10:24:30 +0000
parent 5904:eb1c524a5150
line wrap: on
line source

# This is an example service file. For some time there's now also one in used in our Debian releases at https://hg.prosody.im/debian/

[Unit]
### see man systemd.unit
Description=Prosody XMPP Server
Documentation=https://prosody.im/doc

[Service]
### See man systemd.service ###
# With this configuration, systemd takes care of daemonization
# so Prosody should be configured with daemonize = false
Type=simple

# Not sure if this is needed for 'simple'
PIDFile=/var/run/prosody/prosody.pid

# Start by executing the main executable
ExecStart=/usr/bin/prosody

ExecReload=/bin/kill -HUP $MAINPID

# Restart on crashes
Restart=on-abnormal

# Set O_NONBLOCK flag on sockets passed via socket activation
NonBlocking=true

### See man systemd.exec ###

WorkingDirectory=/var/lib/prosody

User=prosody
Group=prosody

UMask=0027

# Nice=0

# Set stdin to /dev/null since Prosody does not need it
StandardInput=null

# Direct stdout/-err to journald for use with log = "*stdout"
StandardOutput=journal
StandardError=inherit

# This usually defaults to 4k or so
# LimitNOFILE=1M

## Interesting protection methods
# Finding a useful combo of these settings would be nice
#
# Needs read access to /etc/prosody for config
# Needs write access to /var/lib/prosody for storing data (for internal storage)
# Needs write access to /var/log/prosody for writing logs (depending on config)
# Needs read access to code and libraries loaded

# ReadWriteDirectories=/var/lib/prosody /var/log/prosody
# InaccessibleDirectories=/boot /home /media /mnt /root /srv
# ReadOnlyDirectories=/usr /etc/prosody

# PrivateTmp=true
# PrivateDevices=true
# PrivateNetwork=false

# ProtectSystem=full
# ProtectHome=true
# ProtectKernelTunables=true
# ProtectControlGroups=true
# SystemCallFilter=

# This should break LuaJIT
# MemoryDenyWriteExecute=true