I thought CAP_SETUID included CAP_SETGID, but that’s not the case, and
we need both.
Change-Id: I83adef1bec4baea2a4bd28aafe8c1686f2932014
[Service]
ExecStart=/usr/bin/java -cp /usr/share/java/postgresql-jdbc4.jar:/usr/share/java/gigi.jar org.cacert.gigi.Launcher /etc/cacert/gigi/conf.tar
[Service]
ExecStart=/usr/bin/java -cp /usr/share/java/postgresql-jdbc4.jar:/usr/share/java/gigi.jar org.cacert.gigi.Launcher /etc/cacert/gigi/conf.tar
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
WorkingDirectory=/var/lib/cacert-gigi
PrivateTmp=yes
PrivateDevices=yes
WorkingDirectory=/var/lib/cacert-gigi
PrivateTmp=yes
PrivateDevices=yes