diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2017-02-05 04:46:58 +0100 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-02-05 04:54:26 +0100 |
| commit | 2628597e7692ff465d7c575a1c1bfdce35833cad (patch) | |
| tree | ece168ea686499e6b3cb19d50ae4e9b4f3716774 /nixos/modules/services/networking/cjdns.nix | |
| parent | a0338afe5faa9f9e403e2caa52e4a8b60c272be9 (diff) | |
| download | nixpkgs-2628597e7692ff465d7c575a1c1bfdce35833cad.tar nixpkgs-2628597e7692ff465d7c575a1c1bfdce35833cad.tar.gz nixpkgs-2628597e7692ff465d7c575a1c1bfdce35833cad.tar.bz2 nixpkgs-2628597e7692ff465d7c575a1c1bfdce35833cad.tar.lz nixpkgs-2628597e7692ff465d7c575a1c1bfdce35833cad.tar.xz nixpkgs-2628597e7692ff465d7c575a1c1bfdce35833cad.tar.zst nixpkgs-2628597e7692ff465d7c575a1c1bfdce35833cad.zip | |
cjdns service: allow daemon to drop privileges
The service can run certain components with reduced privileges, but for that it needs the setuid capability.
Diffstat (limited to 'nixos/modules/services/networking/cjdns.nix')
| -rw-r--r-- | nixos/modules/services/networking/cjdns.nix | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index d478e45f946..12c2677c336 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -258,8 +258,7 @@ in Restart = "always"; StartLimitInterval = 0; RestartSec = 1; - CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; - AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW"; + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID"; ProtectSystem = true; MemoryDenyWriteExecute = true; ProtectHome = true; |