From bd9ddd7ca47f63baa57ac0843c4c2728839a6504 Mon Sep 17 00:00:00 2001 From: CLanguagePurist <107034654+CLanguagePurist@users.noreply.github.com> Date: Fri, 15 Jul 2022 09:00:11 -0600 Subject: [PATCH 1/3] Comment on PrivateUsers option for gitea.service A user happens to encounter an issue where PrivateUsers sandboxed Gitea.service and it effectively stop systemd from applying capabilities for that gitea.service. I am opening this PR to provide comments on PrivateUsers, effectively a tiny FAQ information for end-user. --- contrib/systemd/gitea.service | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/contrib/systemd/gitea.service b/contrib/systemd/gitea.service index d6a4377ec809..f37bea1f62e4 100644 --- a/contrib/systemd/gitea.service +++ b/contrib/systemd/gitea.service @@ -78,6 +78,12 @@ Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea #CapabilityBoundingSet=CAP_NET_BIND_SERVICE #AmbientCapabilities=CAP_NET_BIND_SERVICE ### +# In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to +# set the following value to false to allow capabilities to be applied on gitea process. The following +# value sandboxes gitea service and prevent any processes from running with privileges in the host user namespace. +### +#PrivateUsers=false +### [Install] WantedBy=multi-user.target From d8c462cd6b9b5bfd8bbc0c6f0f6287914b5a279c Mon Sep 17 00:00:00 2001 From: CLanguagePurist <107034654+CLanguagePurist@users.noreply.github.com> Date: Fri, 15 Jul 2022 09:03:01 -0600 Subject: [PATCH 2/3] Update gitea.service --- contrib/systemd/gitea.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/systemd/gitea.service b/contrib/systemd/gitea.service index f37bea1f62e4..fff247a14340 100644 --- a/contrib/systemd/gitea.service +++ b/contrib/systemd/gitea.service @@ -80,7 +80,7 @@ Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea ### # In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to # set the following value to false to allow capabilities to be applied on gitea process. The following -# value sandboxes gitea service and prevent any processes from running with privileges in the host user namespace. +# value if set to true sandboxes gitea service and prevent any processes from running with privileges in the host user namespace. ### #PrivateUsers=false ### From 60d7a1a949d9e80886c3dbf452842c942ae5631f Mon Sep 17 00:00:00 2001 From: CLanguagePurist <107034654+CLanguagePurist@users.noreply.github.com> Date: Fri, 15 Jul 2022 10:03:08 -0600 Subject: [PATCH 3/3] Make a newline for comment as suggested by Silverwind Co-authored-by: silverwind --- contrib/systemd/gitea.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/contrib/systemd/gitea.service b/contrib/systemd/gitea.service index fff247a14340..79c34564bc97 100644 --- a/contrib/systemd/gitea.service +++ b/contrib/systemd/gitea.service @@ -80,7 +80,8 @@ Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea ### # In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to # set the following value to false to allow capabilities to be applied on gitea process. The following -# value if set to true sandboxes gitea service and prevent any processes from running with privileges in the host user namespace. +# value if set to true sandboxes gitea service and prevent any processes from running with privileges +# in the host user namespace. ### #PrivateUsers=false ###