summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLennart Weller <lhw@ring0.de>2017-03-06 13:26:11 +0000
committerLennart Weller <lhw@ring0.de>2017-03-06 13:26:11 +0000
commitddac3bd0ae77f5a722df7ae2ae1938055c20012a (patch)
tree2053d79f0e98cd062318582ee6eb0e11d46ac17c
parentRelease v. 1.5.0+dfsg-4 to Unstable (diff)
downloadnetdata-ddac3bd0ae77f5a722df7ae2ae1938055c20012a.tar.xz
netdata-ddac3bd0ae77f5a722df7ae2ae1938055c20012a.zip
setuid and /var writeable
Diffstat
-rw-r--r--debian/changelog7
-rw-r--r--debian/netdata.service7
2 files changed, 9 insertions, 5 deletions
diff --git a/debian/changelog b/debian/changelog
index c9a996aca..b20f03a5e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+netdata (1.5.0+dfsg-5) UNRELEASED; urgency=medium
+
+ * Make all of /var writeable avoiding any other MTA problems
+ * Add CAP_SETUID permission for the service
+
+ -- Lennart Weller <lhw@ring0.de> Mon, 06 Mar 2017 14:24:59 +0100
+
netdata (1.5.0+dfsg-4) unstable; urgency=medium
* Update service unit configuration (Closes: #856412)
diff --git a/debian/netdata.service b/debian/netdata.service
index 08eaff167..56aaeb333 100644
--- a/debian/netdata.service
+++ b/debian/netdata.service
@@ -32,17 +32,14 @@ WorkingDirectory=/tmp
NoNewPrivileges=false
PermissionsStartOnly=true
# CAP_SETGID is required for setgroups()
-CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SETGID
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SETGID CAP_SETUID
PrivateTmp=true
ProtectHome=read-only
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=/proc/self
-ReadWriteDirectories=/var/lib/netdata
-ReadWriteDirectories=/var/log/netdata
-ReadWriteDirectories=/var/cache/netdata
-ReadWriteDirectories=-/var/spool/postfix
+ReadWriteDirectories=/var
# Access to devices and kernel modules and tunables is required
PrivateDevices=no
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-01 05:05:22 +0000