[systemd-commits] NEWS units/systemd-journald.service.in
Lennart Poettering
lennart at kemper.freedesktop.org
Wed Feb 8 17:06:27 PST 2012
NEWS | 2 ++
units/systemd-journald.service.in | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
New commits:
commit ccd07a083e8040a5bb091c5036ab1b4493ff8363
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Feb 9 02:06:13 2012 +0100
journal: limit caps we pass to journald
diff --git a/NEWS b/NEWS
index 3ef4fbb..e95ac63 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,8 @@ CHANGES WITH 41:
understood to set system wide environment variables
dynamically at boot.
+ * We now limit the set of capabilities of systemd-journald.
+
Contributions from: Benjamin Franzke, Kay Sievers, Lennart
Poettering, Michael Olbrich, Michal Schmidt, Tom Gundersen,
William Douglas
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 08858f3..c153d47 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -18,7 +18,7 @@ After=syslog.socket
ExecStart=@rootlibexecdir@/systemd-journald
NotifyAccess=all
StandardOutput=null
-#CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETUID CAP_SETGID CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER
# Increase the default a bit in order to allow many simultaneous
# services being run since we keep one fd open per service.
More information about the systemd-commits
mailing list