graphene-os-server-infrastructure

Git-Mirrors/graphene-os-server-infrastructure

mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-10-01 04:55:42 +00:00

History

Daniel Micay afce4f2a51 limit nginx service capabilities Running nginx as non-root would be possible via CAP_NET_BIND_SERVICE as an ambient capability but it would be inherited by workers. It's better to leave the supervisor process as root for the time being unless nginx was taught to use socket activation or drop capabilities for workers.	2022-08-10 11:12:20 -04:00
..
hardening.conf	limit nginx service capabilities	2022-08-10 11:12:20 -04:00

Daniel Micay afce4f2a51 limit nginx service capabilities

Running nginx as non-root would be possible via CAP_NET_BIND_SERVICE as
an ambient capability but it would be inherited by workers. It's better
to leave the supervisor process as root for the time being unless nginx
was taught to use socket activation or drop capabilities for workers.

2022-08-10 11:12:20 -04:00

hardening.conf

limit nginx service capabilities

2022-08-10 11:12:20 -04:00