diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-06-01 09:12:00 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-06-01 09:12:00 +0200 |
commit | d3cf48f4bd3d69a276f17aa7c910e0b35215caba (patch) | |
tree | dc25842b40016380d9efa24afe7e7aa56d68ce02 /units/systemd-networkd.service.in | |
parent | units: remove CAP_SYS_PTRACE capability from hostnamed/networkd (diff) | |
download | systemd-d3cf48f4bd3d69a276f17aa7c910e0b35215caba.tar.xz systemd-d3cf48f4bd3d69a276f17aa7c910e0b35215caba.zip |
networkd: run as unpriviliged "systemd-network" user
This allows us to run networkd mostly unpriviliged with the exception of
CAP_NET_* and CAP_SYS_MODULE. I'd really like to get rid of the latter
though...
Diffstat (limited to 'units/systemd-networkd.service.in')
-rw-r--r-- | units/systemd-networkd.service.in | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 40ec90ef85..33c3fca488 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -19,7 +19,7 @@ Type=notify Restart=always RestartSec=0 ExecStart=@rootlibexecdir@/systemd-networkd -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_MODULE +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_MODULE CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER WatchdogSec=1min [Install] |