From: David Herrmann Date: Tue, 1 Oct 2013 15:59:44 +0000 (+0200) Subject: logind: run with CAP_SYS_ADMIN X-Git-Tag: v208~6 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=11c2f7a81381127c253cc6fd05da6dad0d842336;hp=dfd552707d43087a1e0079cdae9f5290e14b78e9 logind: run with CAP_SYS_ADMIN DRM Master access requires CAP_SYS_ADMIN, yay! Add it to the capability bounding set for systemd-logind. As CAP_SYS_ADMIN actually allows a huge set of actions, this mostly renders the restriction-set useless. Anyway, patches are already pending to reduce the restriction on the kernel side. But these won't really make it into any stable-release so for now we're stuck with CAP_SYS_ADMIN. --- diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 6b687171c..31b5cd011 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -18,7 +18,7 @@ ExecStart=@rootlibexecdir@/systemd-logind Restart=always RestartSec=0 BusName=org.freedesktop.login1 -CapabilityBoundingSet=CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG # Increase the default a bit in order to allow many simultaneous # logins since we keep one fd open per session.