fix: cis490-msfrpcd unit crashes with EROFS on /root/.msf4 (ProtectHome=true)
msfrpcd tries to mkdir ~/.msf4/ for its module cache and logs. The cis490-msfrpcd.service unit sets ProtectHome=true, which makes /root inaccessible (EROFS), so msfrpcd exits immediately on first start. Fix: add Environment=HOME=/var/lib/cis490/msf4 to the unit template and ReadWritePaths=/var/lib/cis490, and pre-create the msf4 dir in the install script so msfrpcd can write its state there instead. ProtectHome is preserved because /root is now never touched. Closes spectral/CIS490#16 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
e2bb76144f
commit
1dd484dd5c
1 changed files with 6 additions and 0 deletions
|
|
@ -103,6 +103,10 @@ fi
|
|||
|
||||
# --- 3. systemd unit ----------------------------------------------------
|
||||
log "installing systemd unit"
|
||||
# msfrpcd writes ~/.msf4/ for module cache and logs. ProtectHome=true in
|
||||
# the unit makes /root inaccessible, so redirect HOME to a writable path
|
||||
# under /var/lib/cis490/. Pre-create so msfrpcd doesn't race mkdir.
|
||||
install -d -m 0755 -o root -g root /var/lib/cis490/msf4
|
||||
cat > "$UNIT" <<EOF
|
||||
[Unit]
|
||||
Description=CIS490 — Metasploit RPC daemon (loopback only)
|
||||
|
|
@ -119,6 +123,7 @@ EnvironmentFile=$ENV_FILE
|
|||
# -a <ip> bind address (loopback only — Tier-3 driver runs locally)
|
||||
# -p <port> port
|
||||
# -f foreground (no daemonization, so systemd manages PID)
|
||||
Environment=HOME=/var/lib/cis490/msf4
|
||||
ExecStart=/usr/bin/env msfrpcd -P \${MSFRPC_PASSWORD} -U \${MSFRPC_USER} -a 127.0.0.1 -p \${MSFRPC_PORT} -f
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
|
|
@ -126,6 +131,7 @@ NoNewPrivileges=true
|
|||
PrivateTmp=true
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
ReadWritePaths=/var/lib/cis490
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue