fix: add CAP_SETGID to gigi-standalone bounding set
authorLucas Werkmeister <mail@lucaswerkmeister.de>
Fri, 9 Sep 2016 12:47:57 +0000 (14:47 +0200)
committerLucas Werkmeister <mail@lucaswerkmeister.de>
Fri, 9 Sep 2016 12:47:57 +0000 (14:47 +0200)
I thought CAP_SETUID included CAP_SETGID, but that’s not the case, and
we need both.

Change-Id: I83adef1bec4baea2a4bd28aafe8c1686f2932014

debian/gigi-standalone.service

index e60e2eedf7620604f96797e51372d8c3f2f5ab33..776625f823b15cc026dafbec93dbb5c028adcad3 100644 (file)
@@ -6,7 +6,7 @@ Conflicts=gigi-proxy.service
 
 [Service]
 ExecStart=/usr/bin/java -cp /usr/share/java/postgresql-jdbc4.jar:/usr/share/java/gigi.jar org.cacert.gigi.Launcher /etc/cacert/gigi/conf.tar
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
 WorkingDirectory=/var/lib/cacert-gigi
 PrivateTmp=yes
 PrivateDevices=yes