From a86b010e103771ada1b50ef8ac22e3d791f1a919 Mon Sep 17 00:00:00 2001 From: Norm Date: Thu, 29 Jun 2023 02:14:04 -0400 Subject: [PATCH] Add NoNewPrivileges to systemd service file for source installs This setting already exists in the OTP installation directory, but doesn't for the one used by source installs. --- installation/akkoma.service | 2 ++ 1 file changed, 2 insertions(+) diff --git a/installation/akkoma.service b/installation/akkoma.service index 2c381ad0d..717693495 100644 --- a/installation/akkoma.service +++ b/installation/akkoma.service @@ -38,6 +38,8 @@ ProtectHome=true ProtectSystem=full ; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. PrivateDevices=false +; Ensures that the service process and all its children can never gain new privileges through execve(). +NoNewPrivileges=true ; Drops the sysadmin capability from the daemon. CapabilityBoundingSet=~CAP_SYS_ADMIN