diff options
| author | Lennart Poettering <lennart@poettering.net> | 2019-03-20 20:19:38 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2019-04-02 16:56:48 +0200 |
| commit | bf65b7e0c9fc215897b676ab9a7c9d1c688143ba (patch) | |
| tree | 906348e2120baa73531e774cf98eb1c5bbbc0c62 /units | |
| parent | 62aa29247c3d74bcec0607c347f2be23cd90675d (diff) | |
| download | systemd-bf65b7e0c9fc215897b676ab9a7c9d1c688143ba.tar.gz | |
core: imply NNP and SUID/SGID restriction for DynamicUser=yes service
Let's be safe, rather than sorry. This way DynamicUser=yes services can
neither take benefit of, nor create SUID/SGID binaries.
Given that DynamicUser= is a recent addition only we should be able to
get away with turning this on, even though this is strictly speaking a
binary compatibility breakage.
Diffstat (limited to 'units')
| -rw-r--r-- | units/systemd-journal-gatewayd.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-journal-upload.service.in | 1 |
2 files changed, 0 insertions, 2 deletions
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index 0f16ae4ccb..50f774512b 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -17,7 +17,6 @@ DynamicUser=yes ExecStart=@rootlibexecdir@/systemd-journal-gatewayd LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes ProtectControlGroups=yes diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index 10e4d657d3..e3800473ec 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -18,7 +18,6 @@ DynamicUser=yes ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateDevices=yes ProtectControlGroups=yes ProtectHome=yes |