From: Michal Sekletar Date: Mon, 19 Dec 2022 16:58:49 +0000 (+0100) Subject: units: allow systemd-userdbd to change process name X-Git-Tag: v253-rc1~242^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F25787%2Fhead;p=thirdparty%2Fsystemd.git units: allow systemd-userdbd to change process name rename_process() requires CAP_SYS_RESOURCE so let's make sure it is in our permitted set after execve() by adding in to the bounding set. Previously, systemd-userdbd.service - User Database Manager Loaded: loaded (/usr/lib/systemd/system/systemd-userdbd.service; indirect; preset: disabled) Active: active (running) since Mon 2022-12-19 17:07:21 CET; 17min ago TriggeredBy: ● systemd-userdbd.socket Docs: man:systemd-userdbd.service(8) Main PID: 1880 (systemd-userdbd) Status: "Processing requests..." Tasks: 4 (limit: 2272) Memory: 5.2M CPU: 244ms CGroup: /system.slice/systemd-userdbd.service ├─1880 /usr/lib/systemd/systemd-userdbd ├─2270 systemd-userwork ├─2271 systemd-userwork └─2272 systemd-userwork Now, Loaded: loaded (/usr/lib/systemd/system/systemd-userdbd.service; indirect; preset: disabled) Active: active (running) since Mon 2022-12-19 17:27:02 CET; 15s ago TriggeredBy: ● systemd-userdbd.socket Docs: man:systemd-userdbd.service(8) Main PID: 2404 (systemd-userdbd) Status: "Processing requests..." Tasks: 4 (limit: 2272) Memory: 5.5M CPU: 89ms CGroup: /system.slice/systemd-userdbd.service ├─2404 /usr/lib/systemd/systemd-userdbd ├─2407 "systemd-userwork: waiting..." ├─2408 "systemd-userwork: waiting..." └─2409 "systemd-userwork: waiting..." --- diff --git a/units/systemd-userdbd.service.in b/units/systemd-userdbd.service.in index 84dea04f55a..b57661100cd 100644 --- a/units/systemd-userdbd.service.in +++ b/units/systemd-userdbd.service.in @@ -16,7 +16,7 @@ Before=sysinit.target DefaultDependencies=no [Service] -CapabilityBoundingSet=CAP_DAC_READ_SEARCH +CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE ExecStart={{ROOTLIBEXECDIR}}/systemd-userdbd IPAddressDeny=any LimitNOFILE={{HIGH_RLIMIT_NOFILE}}