9f551e3c13
Run t3-dispatch as an unprivileged dedicated user instead of wizard (who has full sudo). Privileged minting goes through /usr/local/bin/t3-mint, which validates the target against /etc/ttyd-user-map before minting as that user; sudoers permits t3-dispatch to run only that wrapper. Compromise of the network-facing service can mint pairing tokens for mapped users at most. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
15 lines
413 B
Desktop File
15 lines
413 B
Desktop File
[Unit]
|
|
Description=t3 per-user dispatch + auto-pair (X-authentik-username -> user instance)
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
# Unprivileged dedicated user; the only privileged action is `sudo t3-mint`
|
|
# (scoped in /etc/sudoers.d/t3-autopair). Compromise => mint tokens at most.
|
|
User=t3-dispatch
|
|
ExecStart=/usr/local/bin/t3-dispatch
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|