setuid and /var writeable

author: Lennart Weller <lhw@ring0.de> 2017-03-06 13:26:11 +0000
committer: Lennart Weller <lhw@ring0.de> 2017-03-06 13:26:11 +0000
commit: ddac3bd0ae77f5a722df7ae2ae1938055c20012a (patch)
tree: 2053d79f0e98cd062318582ee6eb0e11d46ac17c /debian/netdata.service
parent: Release v. 1.5.0+dfsg-4 to Unstable (diff)
download: netdata-ddac3bd0ae77f5a722df7ae2ae1938055c20012a.tar.xz
netdata-ddac3bd0ae77f5a722df7ae2ae1938055c20012a.zip
1 files changed, 2 insertions, 5 deletions
diff --git a/debian/netdata.service b/debian/netdata.service
index 08eaff167..56aaeb333 100644
--- a/debian/netdata.service
+++ b/debian/netdata.service
@@ -32,17 +32,14 @@ WorkingDirectory=/tmp
 NoNewPrivileges=false
 PermissionsStartOnly=true
 # CAP_SETGID is required for setgroups()
-CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SETGID
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SETGID CAP_SETUID
 PrivateTmp=true
 ProtectHome=read-only
 ProtectSystem=full
 
 ReadOnlyDirectories=/
 ReadWriteDirectories=/proc/self
-ReadWriteDirectories=/var/lib/netdata
-ReadWriteDirectories=/var/log/netdata
-ReadWriteDirectories=/var/cache/netdata
-ReadWriteDirectories=-/var/spool/postfix
+ReadWriteDirectories=/var
 
 # Access to devices and kernel modules and tunables is required
 PrivateDevices=no
author	Lennart Weller <lhw@ring0.de>	2017-03-06 13:26:11 +0000
committer	Lennart Weller <lhw@ring0.de>	2017-03-06 13:26:11 +0000
commit	ddac3bd0ae77f5a722df7ae2ae1938055c20012a (patch)
tree	2053d79f0e98cd062318582ee6eb0e11d46ac17c /debian/netdata.service
parent	Release v. 1.5.0+dfsg-4 to Unstable (diff)
download	netdata-ddac3bd0ae77f5a722df7ae2ae1938055c20012a.tar.xz netdata-ddac3bd0ae77f5a722df7ae2ae1938055c20012a.zip