Created
July 22, 2017 19:10
-
-
Save lucaswerkmeister/83113a254a5bad8cfcc7555275bf7ae7 to your computer and use it in GitHub Desktop.
Patch to make /usr readonly in tmux
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From 11877d32d707b9e6e219096a95936239d809cfad Mon Sep 17 00:00:00 2001 | |
| From: Lucas Werkmeister <[email protected]> | |
| Date: Sat, 22 Jul 2017 20:57:07 +0200 | |
| Subject: [PATCH] Add ProtectSystem=yes to [email protected] | |
| MIME-Version: 1.0 | |
| Content-Type: text/plain; charset=UTF-8 | |
| Content-Transfer-Encoding: 8bit | |
| In the root tmux session, I often view files with Emacs, just for the | |
| syntax highlighting. To make sure I don’t accidentally edit them, let’s | |
| just make /usr read-only (I shouldn’t edit anything there anyways, | |
| that’s the package manager’s realm). | |
| Any commands that do need to write to /usr (chiefly, `apt`) can be run | |
| with `systemd-exec -qt`. (-t allocates a PTY and -q silences systemd-run | |
| itself; in sum, it’s a pretty seamless experience.) | |
| --- | |
| systemd/system/[email protected] | 8 ++++++++ | |
| 1 file changed, 8 insertions(+) | |
| diff --git a/systemd/system/[email protected] b/systemd/system/[email protected] | |
| index a9a3779..6383668 100644 | |
| --- a/systemd/system/[email protected] | |
| +++ b/systemd/system/[email protected] | |
| @@ -1,12 +1,20 @@ | |
| [Unit] | |
| Description=Terminal multiplexer for user %i | |
| [Service] | |
| User=%i | |
| Type=forking | |
| ExecStart=/usr/bin/tmux -2 -u new-session -d | |
| ExecStop=/usr/bin/tmux kill-server | |
| WorkingDirectory=~ | |
| +# Make sure I don’t accidentally edit dpkg-managed files in /usr. | |
| +# To make `apt` still work, place this /bin/sh script in `/usr/local/bin/apt`: | |
| +# exec systemd-run -qt /usr/bin/apt "$@" | |
| +ProtectSystem=yes | |
| +# /usr/local is an exception, that contains local stuff under my own control. | |
| +# (It really shouldn’t be under /usr, but that’s where it is.) | |
| +ReadWritePaths=/usr/local | |
| + | |
| [Install] | |
| WantedBy=multi-user.target | |
| -- | |
| 2.11.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment