NoNewPrivileges breaks ability to send email via sendmail because it restricts ability to run setuid/setgid binaries
This commit is contained in:
parent
cb3ee4d543
commit
e7b0840b88
|
@ -31,8 +31,6 @@ ProtectHome=true
|
||||||
ProtectSystem=full
|
ProtectSystem=full
|
||||||
; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
|
; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
|
||||||
PrivateDevices=false
|
PrivateDevices=false
|
||||||
; Ensures that the service process and all its children can never gain new privileges through execve().
|
|
||||||
NoNewPrivileges=true
|
|
||||||
; Drops the sysadmin capability from the daemon.
|
; Drops the sysadmin capability from the daemon.
|
||||||
CapabilityBoundingSet=~CAP_SYS_ADMIN
|
CapabilityBoundingSet=~CAP_SYS_ADMIN
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue