Merge #16556: Fix systemd service file configuration directory setup

f3b57f4 Unrecommend making config file owned by bitcoin (setpill)
870d415 Set ProtectHome in systemd service file (setpill)
639a416 Chgrp config dir to bitcoin in systemd service (setpill)
aded052 Improve clarity of systemd service file comments (setpill)

Pull request description:

  Rationale: ran into a bug with the systemd service file, fixed it locally and figured I might as well contribute my fix.

  Also fixed some unrelated confusing phrasing in the comments of the same file, after discussion in IRC.

ACKs for top commit:
  sipsorcery:
    tACK f3b57f4 (nothing changed since previous tACK).
  ryanofsky:
    utACK f3b57f4. Only change since last review is removing ConfigurationDirectoryMode churn in early commits

Tree-SHA512: 2188345878925b9e8a5c2c3df8dfba443720e2252a164db54a8e1d8007846721497b2d98c56f1d9b60a9a9ed4fdb1156c7b02c699616b220a9b614671617d32a

Author: fanquake

contrib/init/bitcoind.service

@@ -5,8 +5,9 @@
 # See "man systemd.service" for details.
 
 # Note that almost all daemon options could be specified in
-# /etc/bitcoin/bitcoin.conf, except for those explicitly specified as arguments
-# in ExecStart=
+# /etc/bitcoin/bitcoin.conf, but keep in mind those explicitly
+# specified as arguments in ExecStart= will override those in the
+# config file.
 
 [Unit]
 Description=Bitcoin daemon
@@ -18,6 +19,10 @@ ExecStart=/usr/bin/bitcoind -daemon \
                             -conf=/etc/bitcoin/bitcoin.conf \
                             -datadir=/var/lib/bitcoind
 
+# Make sure the config directory is readable by the service user
+PermissionsStartOnly=true
+ExecStartPre=/bin/chgrp bitcoin /etc/bitcoin
+
 # Process management
 ####################
 
@@ -53,6 +58,9 @@ PrivateTmp=true
 # Mount /usr, /boot/ and /etc read-only for the process.
 ProtectSystem=full
 
+# Deny access to /home, /root and /run/user
+ProtectHome=true
+
 # Disallow the process and all of its children to gain
 # new privileges through execve().
 NoNewPrivileges=true

doc/init.md

@@ -59,11 +59,11 @@ Data directory:      `/var/lib/bitcoind`
 PID file:            `/var/run/bitcoind/bitcoind.pid` (OpenRC and Upstart) or `/run/bitcoind/bitcoind.pid` (systemd)
 Lock file:           `/var/lock/subsys/bitcoind` (CentOS)  
 
-The configuration file, PID directory (if applicable) and data directory
-should all be owned by the bitcoin user and group.  It is advised for security
-reasons to make the configuration file and data directory only readable by the
-bitcoin user and group.  Access to bitcoin-cli and other bitcoind rpc clients
-can then be controlled by group membership.
+The PID directory (if applicable) and data directory should both be owned by the
+bitcoin user and group. It is advised for security reasons to make the
+configuration file and data directory only readable by the bitcoin user and
+group. Access to bitcoin-cli and other bitcoind rpc clients can then be
+controlled by group membership.
 
 NOTE: When using the systemd .service file, the creation of the aforementioned
 directories and the setting of their permissions is automatically handled by