diff options
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | units/systemd-journald.service.in | 2 |
2 files changed, 3 insertions, 1 deletions
@@ -16,6 +16,8 @@ CHANGES WITH 41: understood to set system wide environment variables dynamically at boot. + * We now limit the set of capabilities of systemd-journald. + Contributions from: Benjamin Franzke, Kay Sievers, Lennart Poettering, Michael Olbrich, Michal Schmidt, Tom Gundersen, William Douglas diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 08858f38d7..c153d472c0 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -18,7 +18,7 @@ After=syslog.socket ExecStart=@rootlibexecdir@/systemd-journald NotifyAccess=all StandardOutput=null -#CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETUID CAP_SETGID CAP_DAC_OVERRIDE +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER # Increase the default a bit in order to allow many simultaneous # services being run since we keep one fd open per service. |