disable capabilities at systemd.service; #773

author Costa Tsaousis <costa@tsaousis.gr>

Sun, 14 Aug 2016 13:11:19 +0000 (16:11 +0300)

committer Costa Tsaousis <costa@tsaousis.gr>

Sun, 14 Aug 2016 13:11:19 +0000 (16:11 +0300)
author Costa Tsaousis <costa@tsaousis.gr>
Sun, 14 Aug 2016 13:11:19 +0000 (16:11 +0300)
committer Costa Tsaousis <costa@tsaousis.gr>
Sun, 14 Aug 2016 13:11:19 +0000 (16:11 +0300)
diff --git a/system/netdata.service.in b/system/netdata.service.in

index afdf0d78ce3c24422bd116c1f650ba32e47b8383..2f71735661f22ee95b2289e184cd85aa7ecb57e5 100644 (file)
--- a/system/netdata.service.in
+++ b/system/netdata.service.in
@@ -28,8 +28,11 @@ SendSIGKILL=no
  # -----------------------------------------------------------------------------
  # Hardening netdata
  
-AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
-CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+# These will apply these capabilities to the entire netdata process tree
+# We don't want this - only apps.plugin needs them
+# AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+# CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+
  PrivateTmp=true
  ProtectSystem=full
  ProtectHome=read-only
author	Costa Tsaousis <costa@tsaousis.gr>
	Sun, 14 Aug 2016 13:11:19 +0000 (16:11 +0300)
committer	Costa Tsaousis <costa@tsaousis.gr>
	Sun, 14 Aug 2016 13:11:19 +0000 (16:11 +0300)