]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: baee30a)
units: add more caps to machined 738/head
authorLennart Poettering <lennart@poettering.net>
Mon, 27 Jul 2015 15:45:45 +0000 (17:45 +0200)
committerLennart Poettering <lennart@poettering.net>
Mon, 27 Jul 2015 15:45:45 +0000 (17:45 +0200)
Otherwise copying full directory trees between container and host won't
work, as we cannot access some fiels and cannot adjust the ownership
properly on the destination.

Of course, adding these many caps to the daemon kinda defeats the
purpose of the caps lock-down... but well...

Fixes #433

units/systemd-machined.service.in patch | blob | blame | history

diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 19c33959d613c78c241e39daf2cd58cb79009e27..fb1f383cdca0fa642cbc00b7a3517f9dea8eb487 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -15,7 +15,7 @@ After=machine.slice
 [Service]
 ExecStart=@rootlibexecdir@/systemd-machined
 BusName=org.freedesktop.machine1
-CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID
 WatchdogSec=1min
 
 # Note that machined cannot be placed in a mount namespace, since it
Unnamed repository; edit this file 'description' to name the repository.