Setup Your Blackcoin Client As A Systemd Service!

Systemd services are very useful for programs that are intended to run all the time. If your system restarts, or something causes the client to crash, it will restart automatically. Systemd also offers simple switches for adding security features, as you will see below.

The example is a systemd blackmored.service file, but you can alter as a blackmore-qt.service file by removing blackmored -daemon and substituting blackmore-qt if you prefer. Or, run both as described in Running blackmore-qt and blackmore-cli at the same time!

I keep my blackmored binary in /etc/blackmore/ and have a symlink to /usr/local/bin/ in order to execute the files from my path. You can skip the symlink, but if you want to use ProtectHome you need to keep the files outside of your home directory. Adjust the path to your liking. Ditto for the datadir.

Note: Because your files are not in the default position you will need to call blackmore-cli with the -data-dir every time!

If you use Blackmore-cli from the terminal setup an alias to simplify your life. You can checkout the article about Using Blackcoin From The Command Line if you need guidance.

[Unit]
Description=Blackmore daemon
After=network.target

[Service]
ExecStart=/usr/local/bin/blackmored -daemon -conf=/var/lib/.blackmore/blackmore.conf -datadir=/var/lib/.blackmore
ExecStop=/usr/local/bin/blackmored stop
User=daniel
Restart=on-failure

# Because it's a daemon process
Type=forking

# Hardening
NoNewPrivileges=true
ProtectHome=true
ProtectSystem=full
PrivateTmp=true
PrivateDevices=true
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target

‌

Several useful settings are implemented like this. The two most useful and general ones are ProtectHome= and ProtectSystem=. The first uses an unshared mount namespace to make /home either read-only or entirely inaccessible. The second is about protecting /usr, /boot, and /etc.‌‌A third also useful but very specific setting is PrivateTmp=. It uses mount namespaces to make a private directory visible as /tmp and /var/tmp for the service. The service's temporary files are hidden from other users to avoid any issues due to filename collisions or wrong permissions.  citation

You can read more from the command systemd-analyze security blackmore.service | grep ✓

This will show you:

✓ User=/DynamicUser=		            Service runs under a static non-root user identity		  
✓ CapabilityBoundingSet=~CAP_RAWIO		Service has no raw I/O access		                       
✓ DeviceAllow=		                    Service has a minimal device ACL		                    
✓ KeyringMode=		                    Service doesn't share key material with other services                          
✓ NoNewPrivileges=		                Service processes cannot acquire new privileges		     
✓ NotifyAccess=		                   	Service child processes cannot alter service state		  
✓ PrivateDevices=		                Service has no access to hardware devices		           
✓ PrivateMounts=		                Service cannot install system mounts		                
✓ PrivateTmp=		                    Service has no access to other software's temporary files                       
✓ ProtectHome=		                    Service has no access to home directories		           
✓ AmbientCapabilities=		            Service process does not receive ambient capabilities                           
✓ CapabilityBoundingSet=~CAP_MKNOD		Service cannot create device nodes		                  
✓ SupplementaryGroups=		            Service has no supplementary groups		                 
✓ Delegate=		                       	Service does not maintain its own delegated control group subtree               
✓ MemoryDenyWriteExecute=		        Service cannot create writable executable memory mappings   

Skip the grep to see everything! It's a lot!

You can make things more complicated, but this will offer better security and more convenience than just running blackmored or blackmore-qt stand alone.  

Need Help?

BlackcoinNL supported chatrooms:

• BlackcoinNL Discord Invite -> https://discord.gg/EmWf2teMma
  • Discord for countries that block it -> https://www.blackcoin.nl/chat-service-bridge/
• Telegram by BlackcoinNL -> T.me/BlackcoinNL
• Keybase -> https://keybase.io/blackcoin

Other commonly used Blackcoin Social Media:

• IRC -> https://en.irc2go.com/webchat/?net=freenode&room=blackcoin
• Gitter -> https://gitter.im/BlackCoin_Hub/
• Reddit -> https://reddit.com/r/blackcoin
• BlackcoinNL Twitter -> https://twitter.com/BlackcoinNL
• BlackcoinOrg Twitter -> https://twitter.com/BlackcoinOrg
• BlackcoinOrg Facebook -> https://facebook.com/BlackcoinOrg