Merge branch 'systemd-drop-sysadmin-privilege' into 'develop' - pleroma - My custom branche(s) on git.pleroma.social/pleroma/pleroma

commit: 89fbed88212657e3dcd4bbcb2c0718b07802037f
parent: 68f483ef4cf6856c3116504987142670bc6ac76c
Author: kaniini <nenolod@gmail.com>
Date:   Fri, 28 Dec 2018 20:14:29 +0000

Merge branch 'systemd-drop-sysadmin-privilege' into 'develop'

Security/Drops the sysadmin privilege from the daemon

See merge request pleroma/pleroma!604
Diffstat:
M installation/pleroma.service 2 ++

1 file changed, 2 insertions(+), 0 deletions(-)
diff --git a/installation/pleroma.service b/installation/pleroma.service
@@ -21,6 +21,8 @@ ProtectSystem=full
 PrivateDevices=false
 ; Ensures that the service process and all its children can never gain new privileges through execve().
 NoNewPrivileges=true
+; Drops the sysadmin capability from the daemon.
+CapabilityBoundingSet=~CAP_SYS_ADMIN
 
 [Install]
 WantedBy=multi-user.target