SystemCallFilter in systemd service

My version of HedgeDoc is: 1.10.0

What I expected to happen:

Start hedgedoc while system startup via systemd service.
Controll the process by service hedgedoc start|stop|status

What actually happened:

Hedgedoc won’t be started.

I already tried:

No problem running NODE_ENV=production /usr/bin/node /srv/hedgedoc/app.js --production as root or hedgedoc user

What I found out myself:

Recently I upgraded from Ubuntu 20.04 to 24.04.

I used the Systemd Unit Example from the website.

Hedgedoc will not start without any info in the logs.

When I remove SystemCallFilter=@system-service from the configuration everything works fine.

Now my question: Do I need to update this variable in order to run hedgedoc safely on Ubuntu 24.04?

Thanks in advance!
Adrian

Hi @adrian,

that’s an interesting observation. While I’m not sure what changed between the Ubuntu versions, the setting @system-service alone sounds a bit too strict. But I’m not sure about that as I’m not using that setup personally.

If you run HedgeDoc under its own user account, with restricted filesystem access via systemd, it should already be quite secure. Of course filtering syscalls is even more secure, but I don’t see a major problem in leaving it out.

In case you want to experiment, which combination of allowed syscall groups works for you, you might want to take a look at the list over here: SystemCallFilter setting - Linux Audit.