From 6247a1dd5d4f9b103feb7b3fd71463bc66f5c288 Mon Sep 17 00:00:00 2001 From: CLanguagePurist <107034654+CLanguagePurist@users.noreply.github.com> Date: Sat, 16 Jul 2022 06:58:56 -0600 Subject: [PATCH] Comment on PrivateUsers option for gitea.service (#20383) * Comment on PrivateUsers option for gitea.service A user happens to encounter an issue where PrivateUsers sandboxed Gitea.service and it effectively stop systemd from applying capabilities for that gitea.service. I am opening this PR to provide comments on PrivateUsers, effectively a tiny FAQ information for end-user. --- contrib/systemd/gitea.service | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/contrib/systemd/gitea.service b/contrib/systemd/gitea.service index d6a4377ec8..79c34564bc 100644 --- a/contrib/systemd/gitea.service +++ b/contrib/systemd/gitea.service @@ -78,6 +78,13 @@ Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea #CapabilityBoundingSet=CAP_NET_BIND_SERVICE #AmbientCapabilities=CAP_NET_BIND_SERVICE ### +# In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to +# set the following value to false to allow capabilities to be applied on gitea process. The following +# value if set to true sandboxes gitea service and prevent any processes from running with privileges +# in the host user namespace. +### +#PrivateUsers=false +### [Install] WantedBy=multi-user.target