Drop privileges when writing to symbiosis-monit.cursor

monit/sbin/symbiosis-monit-failure-email

@@ -3,6 +3,6 @@
 set -e
 
 args="--since=today"
-[ -e "/run/symbiosis-monit.cursor" ] && args="--after-cursor=$(</run/symbiosis-monit.cursor)"
+[ -e "/run/symbiosis-monit.cursor" ] && args="--after-cursor=$(</var/tmp/symbiosis-monit.cursor)"
 
 journalctl -b0 $args -u "symbiosis-monit.service" | mail -s "Symbiosis monitor detected service failure" root

monit/system/symbiosis-monit-failure-email.service

@@ -3,4 +3,4 @@ Description=Notify by email about symbiosis-monit failure
 
 [Service]
 Type=simple
-ExecStart=/usr/bin/symbiosis-monit-failure-email
+ExecStart=/usr/sbin/symbiosis-monit-failure-email

monit/system/symbiosis-monit.service

@@ -4,5 +4,7 @@ OnFailure=symbiosis-monit-failure-email.service
 
 [Service]
 Type=simple
-ExecStartPre=/bin/sh -c 'journalctl -o cat -n 0 -u %n --show-cursor | cut -f3 -d" " > /run/symbiosis-monit.cursor'
-ExecStart=/usr/sbin/symbiosis-monit -t email /etc/symbiosis/monit.d
+ExecStartPre=/bin/sh -c 'journalctl -o cat -n 0 -u %n --show-cursor | cut -f3 -d" " > /var/tmp/symbiosis-monit.cursor'
+ExecStart=+/usr/sbin/symbiosis-monit -t email /etc/symbiosis/monit.d
+User=nobody
+Group=nobody