etc: improve security of systemd unit

Also match port number in spacecookie.socket and spacecookie.json.

4 files changed, 6 insertions, 3 deletions

diff --git a/README.md b/README.md
index 7cb95ad..b195a0c 100644
--- a/README.md
+++ b/README.md
@@ -54,8 +54,8 @@ to install `spacecookie.service` and `spacecookie.socket` like so:
 	systemctl start  spacecookie.socket
 	systemctl start  spacecookie.service # optional, started by the socket automatically if needed
 
-Don't forget to change the paths in the systemd files and match the user name in
-`spacecookie.socket` with the one in `spacecookie.json`!
+You'll have to ensure that the paths are correct and the user and group specified
+in `spacecookie.socket` and `spacecookie.service` exist.
 
 ### Without systemd
 
diff --git a/etc/spacecookie.json b/etc/spacecookie.json
index 72aa46a..3333b10 100644
--- a/etc/spacecookie.json
+++ b/etc/spacecookie.json
@@ -1,6 +1,6 @@
 {
   "hostname" : "localhost",
-  "port" : 7070,
+  "port" : 70,
   "user" : null,
   "root" : "/srv/gopher"
 }
diff --git a/etc/spacecookie.service b/etc/spacecookie.service
index d69be8b..4dc746e 100644
--- a/etc/spacecookie.service
+++ b/etc/spacecookie.service
@@ -8,6 +8,8 @@ ExecStart=/path/to/spacecookie /path/to/spacecookie.json
 FileDescriptorStoreMax=1
 NotifyAccess=main
 StandardError=journal
+User=spacecookie
+Group=spacecookie
 
 [Install]
 WantedBy=multi-user.target
diff --git a/etc/spacecookie.socket b/etc/spacecookie.socket
index 6bd5793..588a86a 100644
--- a/etc/spacecookie.socket
+++ b/etc/spacecookie.socket
@@ -5,5 +5,6 @@ Description=Socket for the Spacecookie Gopher Daemon
 BindIPv6Only=both
 SocketGroup=spacecookie
 SocketUser=spacecookie
+SocketMode=0660
 
 ListenStream=[::]:70