serv/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2024-12-26 16:33:47 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

more permissions in mox.service to ease with upgrade to v0.0.2

Browse source 
- CAP_FSETID looks needed to make accessing setgid dirs work.
- CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH are needed to access the existing config/mox.conf.
- CAP_FOWNER seems needed to chmod the config/ and data/ files.
- RestrictSUIDSGID=yes has to be off for chmod to work
This commit is contained in:
Mechiel Lukkien 2023-02-27 15:48:37 +01:00
parent cfa6554d03
commit aed8360002
No known key found for this signature in database
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
mox.service
View file

@ -22,11 +22,10 @@ ReadWritePaths=/home/mox/config /home/mox/data
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectControlGroups=yes ProtectControlGroups=yes
AmbientCapabilities= AmbientCapabilities=
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FSETID CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FSETID CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER
NoNewPrivileges=yes NoNewPrivileges=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
ProtectProc=invisible ProtectProc=invisible
RestrictSUIDSGID=yes
RestrictNamespaces=yes RestrictNamespaces=yes
RestrictRealtime=yes RestrictRealtime=yes
RemoveIPC=yes RemoveIPC=yes
@ -40,6 +39,9 @@ DevicePolicy=closed
SystemCallArchitectures=native SystemCallArchitectures=native
SystemCallFilter=@system-service SystemCallFilter=@system-service
# Cannot have RestrictSUIDSGID with setgid directories.
#RestrictSUIDSGID=yes
# prevents CAP_NET_BIND_SERVICE from working? # prevents CAP_NET_BIND_SERVICE from working?
#PrivateUsers=yes #PrivateUsers=yes