Add CAP_DAC_READ_SEARCH to CapabilityBoundingSet for rsync

author Peter Palfrader <peter@palfrader.org>

Mon, 6 Feb 2017 22:04:41 +0000 (23:04 +0100)

committer Peter Palfrader <peter@palfrader.org>

Mon, 6 Feb 2017 22:04:41 +0000 (23:04 +0100)
author Peter Palfrader <peter@palfrader.org>
Mon, 6 Feb 2017 22:04:41 +0000 (23:04 +0100)
committer Peter Palfrader <peter@palfrader.org>
Mon, 6 Feb 2017 22:04:41 +0000 (23:04 +0100)
diff --git a/modules/rsync/templates/systemd-rsyncd.service.erb b/modules/rsync/templates/systemd-rsyncd.service.erb

index 2a21d65..5ecc685 100644 (file)
--- a/modules/rsync/templates/systemd-rsyncd.service.erb
+++ b/modules/rsync/templates/systemd-rsyncd.service.erb
@@ -5,7 +5,7 @@ Description=rsync daemon <%= @name %>
  ExecStart=-/usr/bin/rsync --daemon --config=<%= @fname_real_rsync %>
  StandardInput=socket
  StandardError=journal
-CapabilityBoundingSet=CAP_SYS_CHROOT CAP_SETUID CAP_SETGID
+CapabilityBoundingSet=CAP_SYS_CHROOT CAP_SETUID CAP_SETGID CAP_DAC_READ_SEARCH
  PrivateDevices=true
  PrivateNetwork=true
  ProtectHome=read-only
author	Peter Palfrader <peter@palfrader.org>
	Mon, 6 Feb 2017 22:04:41 +0000 (23:04 +0100)
committer	Peter Palfrader <peter@palfrader.org>
	Mon, 6 Feb 2017 22:04:41 +0000 (23:04 +0100)