From 2628597e7692ff465d7c575a1c1bfdce35833cad Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sun, 5 Feb 2017 04:46:58 +0100 Subject: cjdns service: allow daemon to drop privileges The service can run certain components with reduced privileges, but for that it needs the setuid capability. --- nixos/modules/services/networking/cjdns.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'nixos/modules/services/networking/cjdns.nix') diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index d478e45f946..12c2677c336 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -258,8 +258,7 @@ in Restart = "always"; StartLimitInterval = 0; RestartSec = 1; - CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; - AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW"; + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID"; ProtectSystem = true; MemoryDenyWriteExecute = true; ProtectHome = true; -- cgit 1.4.1