diff options
| -rw-r--r-- | support/systemd/peertube.service | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service index c1bdcf760..fba644788 100644 --- a/support/systemd/peertube.service +++ b/support/systemd/peertube.service | |||
| @@ -28,6 +28,11 @@ PrivateDevices=false | |||
| 28 | ; Ensures that the service process and all its children can never gain new | 28 | ; Ensures that the service process and all its children can never gain new |
| 29 | ; privileges through execve(). | 29 | ; privileges through execve(). |
| 30 | NoNewPrivileges=true | 30 | NoNewPrivileges=true |
| 31 | ; This makes /home, /root, and /run/user inaccessible and empty for processes invoked | ||
| 32 | ; by this unit. Make sure that you do not depend on data inside these folders. | ||
| 33 | ProtectHome=true | ||
| 34 | ; Drops the sys admin capability from the daemon. | ||
| 35 | CapabilityBoundingSet=~CAP_SYS_ADMIN | ||
| 31 | 36 | ||
| 32 | [Install] | 37 | [Install] |
| 33 | WantedBy=multi-user.target | 38 | WantedBy=multi-user.target |