Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-09-28 19:45:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

allow nginx master process to use CAP_CHOWN

Browse Source 
This is required for it to create the /var directories it uses when the
master process is running as root. It would be possible to run the nginx
master process as non-root but it doesn't drop ambient capabilities when
it spawns the workers so running the master process as non-root will end
up giving the workers higher privileges due to them ending up getting
the CAP_NET_BIND_SERVICE capability passed through.
This commit is contained in:
Daniel Micay 2023-07-06 04:57:45 -04:00
parent 2cf694017b
commit 8ac489c9aa
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
systemd/system/nginx.service.d/local.conf
View File

@ -1,5 +1,5 @@
[Service]
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
ExecStart=
ExecStart=/usr/bin/nginx -g 'pid /run/nginx.pid;'
LockPersonality=true