Security/Drops the sysadmin privilege from the daemon

author shibayashi <shibayashi@cypherpunk.observer>

Fri, 28 Dec 2018 20:09:48 +0000 (21:09 +0100)

committer shibayashi <shibayashi@cypherpunk.observer>

Fri, 28 Dec 2018 20:09:48 +0000 (21:09 +0100)
author shibayashi <shibayashi@cypherpunk.observer>
Fri, 28 Dec 2018 20:09:48 +0000 (21:09 +0100)
committer shibayashi <shibayashi@cypherpunk.observer>
Fri, 28 Dec 2018 20:09:48 +0000 (21:09 +0100)
diff --git a/installation/pleroma.service b/installation/pleroma.service

index 6955e5cc65cb08fde3c48e4d1ad6740da68c273a..f1ed56cb3c8dd9db857392840ae58650cf1e3cdb 100644 (file)
--- a/installation/pleroma.service
+++ b/installation/pleroma.service
@@ -21,6 +21,8 @@ ProtectSystem=full
  PrivateDevices=false
  ; Ensures that the service process and all its children can never gain new privileges through execve().
  NoNewPrivileges=true
+; Drops the sysadmin capability from the daemon.
+CapabilityBoundingSet=~CAP_SYS_ADMIN
  
  [Install]
  WantedBy=multi-user.target
author	shibayashi <shibayashi@cypherpunk.observer>
	Fri, 28 Dec 2018 20:09:48 +0000 (21:09 +0100)
committer	shibayashi <shibayashi@cypherpunk.observer>
	Fri, 28 Dec 2018 20:09:48 +0000 (21:09 +0100)