From 58c8504c75ac0c683eb69b0c5f6a7b46a0e22298 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=90=B4=E6=96=87=E5=B3=B0?= <kevin@lmve.net>
Date: Thu, 28 May 2026 15:43:48 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E7=A7=BB=E9=99=A4=20ProtectSystem=20?=
 =?UTF-8?q?=E6=B2=99=E7=AE=B1=E9=99=90=E5=88=B6=EF=BC=8C=E4=BF=AE=E5=A4=8D?=
 =?UTF-8?q?=20unix=20socket=20=E5=88=9B=E5=BB=BA=E5=A4=B1=E8=B4=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ProtectSystem=strict/full 把 /etc /opt 等挂载为只读，
即使 ReadWritePaths 配合也会有各种坑。
服务已用专用低权用户 portal_page 运行，文件系统权限本身就够了，
没必要再加 systemd 文件系统沙箱。
---
 install.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/install.sh b/install.sh
index a2dffdf..4a2a3e1 100644
--- a/install.sh
+++ b/install.sh
@@ -170,11 +170,11 @@ StandardOutput=journal
 StandardError=journal
 SyslogIdentifier=${SERVICE_NAME}
 
-# 安全加固
-NoNewPrivileges=true
-ProtectSystem=full
+# 安全加固：专用低权用户运行，无需额外文件系统沙箱
+# ProtectSystem=strict/full 会阻止写入 /etc 和 /opt 等目录，
+# 导致配置文件和 unix socket 无法创建，得不偿失
 ProtectHome=true
-ReadWritePaths=${DATA_DIR} ${CONFIG_DIR} ${LOG_DIR} ${PID_DIR} ${INSTALL_DIR}
+NoNewPrivileges=true
 
 # 环境变量
 Environment=GIN_MODE=release