commit: 89fbed88212657e3dcd4bbcb2c0718b07802037f
parent: 68f483ef4cf6856c3116504987142670bc6ac76c
Author: kaniini <nenolod@gmail.com>
Date: Fri, 28 Dec 2018 20:14:29 +0000
Merge branch 'systemd-drop-sysadmin-privilege' into 'develop'
Security/Drops the sysadmin privilege from the daemon
See merge request pleroma/pleroma!604
Diffstat:
1 file changed, 2 insertions(+), 0 deletions(-)
diff --git a/installation/pleroma.service b/installation/pleroma.service
@@ -21,6 +21,8 @@ ProtectSystem=full
PrivateDevices=false
; Ensures that the service process and all its children can never gain new privileges through execve().
NoNewPrivileges=true
+; Drops the sysadmin capability from the daemon.
+CapabilityBoundingSet=~CAP_SYS_ADMIN
[Install]
WantedBy=multi-user.target