pyrox.dev / nixpkgs
lol
fork atom

cjdns service: allow daemon to drop privileges

The service can run certain components with reduced privileges, but for
that it needs the setuid capability.

Joachim Fasting 2628597e a0338afe

options
unified split
Changed files
+1 -2
nixos
modules
services
networking
cjdns.nix
+1 -2
nixos/modules/services/networking/cjdns.nix 
···

       
258

       
 

       
        Restart = "always";


     

       
259

       
 

       
        StartLimitInterval = 0;


     

       
260

       
 

       
        RestartSec = 1;


     

       
261

       
-

       
        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";


     

       
262

       
-

       
        AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW";


     

       
263

       
 

       
        ProtectSystem = true;


     

       
264

       
 

       
        MemoryDenyWriteExecute = true;


     

       
265

       
 

       
        ProtectHome = true;


     
···

       
258

       
 

       
        Restart = "always";


     

       
259

       
 

       
        StartLimitInterval = 0;


     

       
260

       
 

       
        RestartSec = 1;


     

       
261

       
+

       
        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID";


     

       

       

       
     

       
262

       
 

       
        ProtectSystem = true;


     

       
263

       
 

       
        MemoryDenyWriteExecute = true;


     

       
264

       
 

       
        ProtectHome = true;