From eed4160b85e300ecca10eb9623d94211a545d335 Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Wed, 20 Sep 2023 11:04:45 +0800 Subject: [PATCH] hosts/plover: reduce service capability --- hosts/plover/modules/services/bind.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/plover/modules/services/bind.nix b/hosts/plover/modules/services/bind.nix index 936b74ee..cdf730f4 100644 --- a/hosts/plover/modules/services/bind.nix +++ b/hosts/plover/modules/services/bind.nix @@ -220,11 +220,11 @@ in # Granting and restricting its capabilities. Take note we're not using # syslog for this even if the application can so no syslog capability. + # Additionally, we're using omitting the program's ability to chroot and + # chown since the user and the directories are already configured. CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_NET_RAW" - "CAP_CHOWN" - "CAP_SYS_CHROOT" ]; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];