feat(agent): isolate from erik — dedicated overlord-agent user
The agent service was running as User=erik, which meant: - Sessions polluted erik's ~/.claude/projects/ - erik's .claude/settings.local.json (months of accumulated dev permissions for docker/git/dotnet/etc.) was loaded by the production agent, defeating the --allowed-tools whitelist - Subscription rate quota mingled between human-erik's interactive Claude Code use and the production assistant - Theoretical access to /home/erik/.ssh, .bash_history, .gitconfig Now: - User=overlord-agent (system account, no shell, /var/lib/overlord-agent home) - HOME=/var/lib/overlord-agent — claude state fully isolated from erik - /home/erik/.claude permissions tightened to 0700 (was 0755) - group=overlord-agent on the repo + /etc/overlord/agent.env (read-only) Project settings: - New strict committed .claude/settings.json: deny Bash/Read/Write/Edit/ Glob/Grep/NotebookEdit/WebSearch; allow only WebFetch(domain:acpedia.org) - .claude/settings.local.json now gitignored (was leaking dev permissions to the server through the deploy)
This commit is contained in:
Erik
parent
49ae4369e0
commit
f894399165
3 changed files with 42 additions and 14 deletions
|
|
@ -5,18 +5,23 @@ Wants=network-online.target
|
|||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=erik
|
||||
Group=erik
|
||||
# Working directory MUST be the repo root so:
|
||||
# - claude -p sessions land at ~/.claude/projects/-home-erik-MosswartOverlord/
|
||||
# - .mcp.json is auto-loaded
|
||||
# Dedicated unprivileged user — kernel-level isolation from `erik`.
|
||||
# overlord-agent has NO access to /home/erik/.claude (mode 0700),
|
||||
# /home/erik/.ssh, /home/erik/.bash_history, /home/erik/.gitconfig, etc.
|
||||
# Its own claude state lives at /var/lib/overlord-agent/.claude/ and its
|
||||
# claude session JSONLs land there — completely separate from any
|
||||
# interactive Claude Code use by the human user.
|
||||
User=overlord-agent
|
||||
Group=overlord-agent
|
||||
# Working directory: the repo root (group-readable to overlord-agent).
|
||||
# claude session JSONLs path-encode this cwd so it's important to keep
|
||||
# stable across restarts.
|
||||
WorkingDirectory=/home/erik/MosswartOverlord
|
||||
# Secrets moved OUT of /home/erik/ to /etc/overlord/agent.env so
|
||||
# ProtectHome=read-only blocks their read entirely. The file is
|
||||
# root-owned, mode 0640, group=erik.
|
||||
# HOME explicitly set so claude reads /var/lib/overlord-agent/.claude/*
|
||||
# instead of trying /home/erik/.claude/* (which is now 0700, locked out).
|
||||
Environment="HOME=/var/lib/overlord-agent"
|
||||
# Secrets file (root:overlord-agent 0640).
|
||||
EnvironmentFile=-/etc/overlord/agent.env
|
||||
# Backwards-compat: also try the old location during transition.
|
||||
EnvironmentFile=-/home/erik/MosswartOverlord/.env
|
||||
# Run inside the venv populated by install.sh.
|
||||
ExecStart=/home/erik/MosswartOverlord/agent/.venv/bin/python -m agent.service
|
||||
Restart=on-failure
|
||||
|
|
@ -37,12 +42,11 @@ ProtectHome=read-only
|
|||
# Allow writing only to the explicit paths claude / our service need.
|
||||
# - ~/.claude — session JSONL files
|
||||
# - .venv pycache — minor pip cache writes
|
||||
ReadWritePaths=/home/erik/.claude
|
||||
ReadWritePaths=/var/lib/overlord-agent/.claude
|
||||
ReadWritePaths=/home/erik/MosswartOverlord/agent/.venv
|
||||
ReadWritePaths=/var/log/overlord-agent
|
||||
# Keep $HOME visible to the venv python so it can find pip cache etc.
|
||||
# (read-only via ProtectHome=read-only — this writable carve-out is
|
||||
# narrowly the .claude session dir above.)
|
||||
# StateDirectory creates/owns /var/lib/overlord-agent automatically.
|
||||
StateDirectory=overlord-agent
|
||||
LogsDirectory=overlord-agent
|
||||
LogsDirectoryMode=0755
|
||||
PrivateTmp=true
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue