systemd: disable non-working remaining sandboxing options (#2205)
* systemd: use PrivateUsers= in user unit ProtectSystem= and other sandboxing options require a user namespace in order to work as user units (the user manager does not run as root and thus without a user namespace it is unable to perform mounts).
This commit is contained in:
parent
4a6c78a7a6
commit
39a0048445
|
@ -5,9 +5,11 @@ After=network-online.target
|
|||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
# Commented out hardenings are disabled because they don't work out of the box.
|
||||
# Commented out hardenings are disabled because they may not work out of the box on your distribution
|
||||
# If you know what you are doing please try to enable them.
|
||||
|
||||
ProtectSystem=full
|
||||
PrivateUsers=true
|
||||
#PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
#ProtectClock=true
|
||||
|
@ -22,4 +24,4 @@ RestartSec=3
|
|||
RestartPreventExitStatus=3
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
WantedBy=default.target
|
Loading…
Reference in New Issue