33 lines
1.2 KiB
Diff
33 lines
1.2 KiB
Diff
From 58a9e1083865e75bba3cf9867a3df109031d7810 Mon Sep 17 00:00:00 2001
|
|
From: Viktor Ashirov <vashirov@redhat.com>
|
|
Date: Mon, 28 Jul 2025 13:18:26 +0200
|
|
Subject: [PATCH] Issue 6181 - RFE - Allow system to manage uid/gid at startup
|
|
|
|
Description:
|
|
Expand CapabilityBoundingSet to include CAP_FOWNER
|
|
|
|
Relates: https://github.com/389ds/389-ds-base/issues/6181
|
|
Relates: https://github.com/389ds/389-ds-base/issues/6906
|
|
|
|
Reviewed by: @progier389 (Thanks!)
|
|
---
|
|
wrappers/systemd.template.service.in | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/wrappers/systemd.template.service.in b/wrappers/systemd.template.service.in
|
|
index fa05c9f60..6db1f6f8f 100644
|
|
--- a/wrappers/systemd.template.service.in
|
|
+++ b/wrappers/systemd.template.service.in
|
|
@@ -25,7 +25,7 @@ MemoryAccounting=yes
|
|
|
|
# Allow non-root instances to bind to low ports.
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID CAP_DAC_OVERRIDE CAP_CHOWN
|
|
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER
|
|
|
|
PrivateTmp=on
|
|
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
--
|
|
2.49.0
|
|
|