Security/Drops the sysadmin privilege from the daemon

author: shibayashi <shibayashi@cypherpunk.observer> 2018-12-28 21:09:48 +0100
committer: shibayashi <shibayashi@cypherpunk.observer> 2018-12-28 21:09:48 +0100
commit: 64035201b56ee78dc937dfa675e610c03850dcad (patch)
tree: 9e0e0314dbeb7842de375b7cfcd5bae5790b54e8
parent: 3370924b8ba87354249182694cfa3b598a66e6de (diff)
download: pleroma-64035201b56ee78dc937dfa675e610c03850dcad.tar.gz
pleroma-64035201b56ee78dc937dfa675e610c03850dcad.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/installation/pleroma.service b/installation/pleroma.service
index 6955e5cc6..f1ed56cb3 100644
--- a/installation/pleroma.service
+++ b/installation/pleroma.service
@@ -21,6 +21,8 @@ ProtectSystem=full
 PrivateDevices=false
 ; Ensures that the service process and all its children can never gain new privileges through execve().
 NoNewPrivileges=true
+; Drops the sysadmin capability from the daemon.
+CapabilityBoundingSet=~CAP_SYS_ADMIN
 
 [Install]
 WantedBy=multi-user.target
author	shibayashi <shibayashi@cypherpunk.observer>	2018-12-28 21:09:48 +0100
committer	shibayashi <shibayashi@cypherpunk.observer>	2018-12-28 21:09:48 +0100
commit	64035201b56ee78dc937dfa675e610c03850dcad (patch)
tree	9e0e0314dbeb7842de375b7cfcd5bae5790b54e8
parent	3370924b8ba87354249182694cfa3b598a66e6de (diff)
download	pleroma-64035201b56ee78dc937dfa675e610c03850dcad.tar.gz pleroma-64035201b56ee78dc937dfa675e610c03850dcad.zip