diff --git a/mox.service b/mox.service
index 10b5f24..1d870a2 100644
--- a/mox.service
+++ b/mox.service
@@ -22,11 +22,10 @@ ReadWritePaths=/home/mox/config /home/mox/data
 ProtectKernelTunables=yes
 ProtectControlGroups=yes
 AmbientCapabilities=
-CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FSETID
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FSETID CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER
 NoNewPrivileges=yes
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
 ProtectProc=invisible
-RestrictSUIDSGID=yes
 RestrictNamespaces=yes
 RestrictRealtime=yes
 RemoveIPC=yes
@@ -40,6 +39,9 @@ DevicePolicy=closed
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 
+# Cannot have RestrictSUIDSGID with setgid directories.
+#RestrictSUIDSGID=yes
+
 # prevents CAP_NET_BIND_SERVICE from working?
 #PrivateUsers=yes