From 4140d3b4444d2fd55ac682d066fd859cb2f034b5 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Wed, 3 Sep 2025 08:23:25 -0700
Subject: [PATCH] privileged: Don't isolate /var/tmp/ for privileged daemon

- Files from web service are uploaded to /var/tmp/ directory. They need to
accessible to privileged daemon to that it can move them to a target location.
So, if /var/tmp is isolated for privileged daemon, it can't see those files as a
separate tmpfs filesystem is mounted on that folder.

- Ideally, we should have PrivateTmp=yes and
JoinsNameSpacesOf=freedombox-privileged.service set on plinth.service. However,
this requires further changes to the way developer execution is done command
line. This is done in future.

Tests:

- Uploading a backup works.

- Uploading a kiwix archive works.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
---
 data/usr/lib/systemd/system/freedombox-privileged.service | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/usr/lib/systemd/system/freedombox-privileged.service b/data/usr/lib/systemd/system/freedombox-privileged.service
index 6112b5d43..9cce91e34 100644
--- a/data/usr/lib/systemd/system/freedombox-privileged.service
+++ b/data/usr/lib/systemd/system/freedombox-privileged.service
@@ -13,7 +13,8 @@ TimeoutSec=300s
 User=root
 Group=root
 NotifyAccess=main
-PrivateTmp=yes
+# Uploaded files in /var/tmp/ are shared with FreedomBox web service.
+#PrivateTmp=yes
 Restart=on-failure
 # Don't restart too fast
 RestartSec=1