summaryrefslogtreecommitdiffstats
path: root/units/systemd-networkd.service.in
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-06-01 09:12:00 +0200
committerLennart Poettering <lennart@poettering.net>2014-06-01 09:12:00 +0200
commitd3cf48f4bd3d69a276f17aa7c910e0b35215caba (patch)
treedc25842b40016380d9efa24afe7e7aa56d68ce02 /units/systemd-networkd.service.in
parentunits: remove CAP_SYS_PTRACE capability from hostnamed/networkd (diff)
downloadsystemd-d3cf48f4bd3d69a276f17aa7c910e0b35215caba.tar.xz
systemd-d3cf48f4bd3d69a276f17aa7c910e0b35215caba.zip
networkd: run as unpriviliged "systemd-network" user
This allows us to run networkd mostly unpriviliged with the exception of CAP_NET_* and CAP_SYS_MODULE. I'd really like to get rid of the latter though...
Diffstat (limited to 'units/systemd-networkd.service.in')
-rw-r--r--units/systemd-networkd.service.in2
1 files changed, 1 insertions, 1 deletions
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 40ec90ef85..33c3fca488 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -19,7 +19,7 @@ Type=notify
Restart=always
RestartSec=0
ExecStart=@rootlibexecdir@/systemd-networkd
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_MODULE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_MODULE CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
WatchdogSec=1min
[Install]