Hello, ooh man i got confused because i had also troube with logrotate service. There was Protectsystem=full not in the openvpn@service systemctl cat openvpn@<conf> # [Service] # Type=notify # PrivateTmp=true # WorkingDirectory=/etc/openvpn # ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid # PIDFile=/run/openvpn/%i.pid [..] # DeviceAllow=/dev/null rw # DeviceAllow=/dev/net/tun rw # ProtectSystem=true # ProtectHome=true so no outbreak.... :facepalm: Kind regards On 25.06.25 13:15, Andy Smith wrote:
Hi, On Wed, Jun 25, 2025 at 11:33:02AM +0200, Philipp Ewald wrote:ProtectSystem=full should be read-only /etc what is the point of this settig if the process still can write there?The "full" setting is indeed meant to keep the whole filesystem read-only for that service, except /dev, /proc, and /sys, so if yours isn't then there is something else going on. It doesn't work for user services (i.e. services started with --user option). It doesn't work if your kernel doesn't support filesystem namespaces, which can happen if you have systemd running inside some other container. ReadWritePaths= can be used to add paths that can be written to, so check there isn't one of those. Otherwise there is some other issue, or a bug. Thanks, Andy
-- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ewald@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds