timesyncd: run timesyncd as unpriviliged user "systemd-timesync" (but still with...

[elogind.git] / units / systemd-timesyncd.service.in

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index e279d1bc29f054c5f996abc3dc004dde20767c74..158438e627e6968683acab5e4e5c1616c9e1b0c9 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -16,7 +16,9 @@ Type=notify
 Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-timesyncd
-CapabilityBoundingSet=CAP_SYS_TIME
+CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP
+PrivateTmp=yes
+PrivateDevices=yes
 
 [Install]
 WantedBy=multi-user.target