From 575332e78d5ec2e87c0a154c7da92a3c722493d8 Mon Sep 17 00:00:00 2001
From: admin <xmg08288@gmail.com>
Date: Fri, 17 Apr 2026 06:05:14 +0000
Subject: [PATCH] =?UTF-8?q?fix:=20sniproxy=20systemd=20unit=20=E5=8E=BB?=
 =?UTF-8?q?=E6=8E=89=20NoNewPrivileges=20+=20PID=20=E8=B7=AF=E5=BE=84?=
 =?UTF-8?q?=E7=BB=9F=E4=B8=80=20/run/=20+=20=E6=B3=A8=E9=87=8A=20user=20da?=
 =?UTF-8?q?emon?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scripts/stream-unlock.sh | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/scripts/stream-unlock.sh b/scripts/stream-unlock.sh
index 0f2d946..483b50c 100644
--- a/scripts/stream-unlock.sh
+++ b/scripts/stream-unlock.sh
@@ -313,16 +313,9 @@ Documentation=https://github.com/dlundquist/sniproxy
 [Service]
 Type=forking
 ExecStart=$bin -c $SNIPROXY_CONF
-PIDFile=/var/run/sniproxy.pid
+PIDFile=/run/sniproxy.pid
 Restart=on-failure
 RestartSec=3
-# 最低权限
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-NoNewPrivileges=yes
-ProtectSystem=full
-ProtectHome=yes
-PrivateTmp=yes
 
 [Install]
 WantedBy=multi-user.target
@@ -356,8 +349,8 @@ sniproxy_write_config() {
 # sniproxy.conf - stream-unlock managed
 # 只解析 SNI 转发, 不做 DNS
 
-user daemon
-pidfile /var/run/sniproxy.pid
+# user daemon  # 不切用户, systemd 管权限
+pidfile /run/sniproxy.pid
 
 error_log {
     syslog daemon