diff options
| -rw-r--r-- | src/network/networkd.c | 18 | ||||
| -rw-r--r-- | units/systemd-networkd.service.in | 9 |
2 files changed, 17 insertions, 10 deletions
diff --git a/src/network/networkd.c b/src/network/networkd.c index fe60f1ed14..8efd160aaa 100644 --- a/src/network/networkd.c +++ b/src/network/networkd.c @@ -70,13 +70,17 @@ int main(int argc, char *argv[]) { if (r < 0) log_warning_errno(r, "Could not create runtime directory 'lldp': %m"); - r = drop_privileges(uid, gid, - (1ULL << CAP_NET_ADMIN) | - (1ULL << CAP_NET_BIND_SERVICE) | - (1ULL << CAP_NET_BROADCAST) | - (1ULL << CAP_NET_RAW)); - if (r < 0) - goto out; + /* Drop privileges, but only if we have been started as root. If we are not running as root we assume all + * privileges are already dropped. */ + if (geteuid() == 0) { + r = drop_privileges(uid, gid, + (1ULL << CAP_NET_ADMIN) | + (1ULL << CAP_NET_BIND_SERVICE) | + (1ULL << CAP_NET_BROADCAST) | + (1ULL << CAP_NET_RAW)); + if (r < 0) + goto out; + } assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, -1) >= 0); diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 218e5c4d3f..3f0ad77b7d 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -20,9 +20,11 @@ Wants=network.target Type=notify Restart=on-failure RestartSec=0 -ExecStart=@rootlibexecdir@/systemd-networkd +ExecStart=!!@rootlibexecdir@/systemd-networkd WatchdogSec=3min -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER +User=systemd-network +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes @@ -32,7 +34,8 @@ RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native -ReadWritePaths=/run/systemd +RuntimeDirectory=systemd/netif +RuntimeDirectoryPreserve=yes [Install] WantedBy=multi-user.target |