From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Tue, 24 Apr 2018 08:44:33 +0000 (+0300)
Subject: systemd: Remove NoNewPrivileges and CAP_BOUNDING_SET
X-Git-Tag: 2.3.2.rc1~53
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8f0265f98d3939c65f347ddf093bffc076cf00e4;p=thirdparty%2Fdovecot%2Fcore.git

systemd: Remove NoNewPrivileges and CAP_BOUNDING_SET

These break sieve by preventing SUID binary as
sendmail_path.
---

diff --git a/dovecot.service.in b/dovecot.service.in
index 5fe382a12f..d6c9dae776 100644
--- a/dovecot.service.in
+++ b/dovecot.service.in
@@ -20,9 +20,6 @@ PrivateTmp=true
 NonBlocking=yes
 ProtectSystem=full
 PrivateDevices=true
-# disable this if you want to use apparmor plugin
-NoNewPrivileges=true
-CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE
 
 # You can add environment variables with e.g.:
 #Environment='CORE_OUTOFMEM=1'