Merge branch 'systemd-drop-sysadmin-privilege' into 'develop'

Security/Drops the sysadmin privilege from the daemon See merge request pleroma/pleroma!604
author: kaniini <nenolod@gmail.com> 2018-12-28 20:14:29 +0000
committer: kaniini <nenolod@gmail.com> 2018-12-28 20:14:29 +0000
commit: 89fbed88212657e3dcd4bbcb2c0718b07802037f (patch)
tree: c3df6bb1f1a9bb5fe7751eabb639ac57c4ec266b /installation
parent: 68f483ef4cf6856c3116504987142670bc6ac76c (diff)
parent: 64035201b56ee78dc937dfa675e610c03850dcad (diff)
download: pleroma-89fbed88212657e3dcd4bbcb2c0718b07802037f.tar.gz
pleroma-89fbed88212657e3dcd4bbcb2c0718b07802037f.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/installation/pleroma.service b/installation/pleroma.service
index 6955e5cc6..f1ed56cb3 100644
--- a/installation/pleroma.service
+++ b/installation/pleroma.service
@@ -21,6 +21,8 @@ ProtectSystem=full
 PrivateDevices=false
 ; Ensures that the service process and all its children can never gain new privileges through execve().
 NoNewPrivileges=true
+; Drops the sysadmin capability from the daemon.
+CapabilityBoundingSet=~CAP_SYS_ADMIN
 
 [Install]
 WantedBy=multi-user.target
author	kaniini <nenolod@gmail.com>	2018-12-28 20:14:29 +0000
committer	kaniini <nenolod@gmail.com>	2018-12-28 20:14:29 +0000
commit	89fbed88212657e3dcd4bbcb2c0718b07802037f (patch)
tree	c3df6bb1f1a9bb5fe7751eabb639ac57c4ec266b /installation
parent	68f483ef4cf6856c3116504987142670bc6ac76c (diff)
parent	64035201b56ee78dc937dfa675e610c03850dcad (diff)
download	pleroma-89fbed88212657e3dcd4bbcb2c0718b07802037f.tar.gz pleroma-89fbed88212657e3dcd4bbcb2c0718b07802037f.zip