Problem
systemd/xmrig.service.template runs User=root with LimitMEMLOCK=infinity and no hardening directives. Separately, configure_limits grants * soft/hard memlock unlimited to all users (rigforge.sh:499-500) — broader than needed.
Proposed
- Add the systemd hardening directives compatible with MSR/HugePages/cpupower needs (e.g.
NoNewPrivileges where possible, ProtectHome, PrivateTmp, ProtectSystem with carve-outs); document precisely why any remaining privilege is required.
- Scope
memlock unlimited to the dedicated mining user instead of *.
- Consider running XMRig as a dedicated non-root user with only the capabilities it needs (MSR write is the sticking point — document the tradeoff).
Acceptance
Problem
systemd/xmrig.service.templaterunsUser=rootwithLimitMEMLOCK=infinityand no hardening directives. Separately,configure_limitsgrants* soft/hard memlock unlimitedto all users (rigforge.sh:499-500) — broader than needed.Proposed
NoNewPrivilegeswhere possible,ProtectHome,PrivateTmp,ProtectSystemwith carve-outs); document precisely why any remaining privilege is required.memlock unlimitedto the dedicated mining user instead of*.Acceptance
*.