diff options
| author | Lennart Poettering <lennart@poettering.net> | 2012-02-09 02:06:13 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2012-02-09 02:06:13 +0100 |
| commit | ccd07a083e8040a5bb091c5036ab1b4493ff8363 (patch) | |
| tree | e560933ad971fd2cd6190e410ebc6496c261c15f | |
| parent | cea6691857229790d65d5694db82d8ceb95d1a3d (diff) | |
journal: limit caps we pass to journald
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | units/systemd-journald.service.in | 2 |
2 files changed, 3 insertions, 1 deletions
@@ -16,6 +16,8 @@ CHANGES WITH 41: understood to set system wide environment variables dynamically at boot. + * We now limit the set of capabilities of systemd-journald. + Contributions from: Benjamin Franzke, Kay Sievers, Lennart Poettering, Michael Olbrich, Michal Schmidt, Tom Gundersen, William Douglas diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 08858f38d7..c153d472c0 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -18,7 +18,7 @@ After=syslog.socket ExecStart=@rootlibexecdir@/systemd-journald NotifyAccess=all StandardOutput=null -#CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETUID CAP_SETGID CAP_DAC_OVERRIDE +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER # Increase the default a bit in order to allow many simultaneous # services being run since we keep one fd open per service. |