From 5d9d30560a8980e32ffc686627c9dcd0570baed8 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sun, 1 Dec 2019 17:21:18 +0000 Subject: [PATCH] Add CapabilityBoundingSet to systemd unit file --- sapi/fpm/php-fpm.service.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sapi/fpm/php-fpm.service.in b/sapi/fpm/php-fpm.service.in index f58ea08af8ff8..5111ae8c8ff86 100644 --- a/sapi/fpm/php-fpm.service.in +++ b/sapi/fpm/php-fpm.service.in @@ -32,6 +32,9 @@ NoNewPrivileges=true # but no physical devices such as /dev/sda. PrivateDevices=true +# Required for dropping privileges for running as a different user and changin owner and root. +CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_SYS_CHROOT + # Explicit module loading will be denied. This allows to turn off module load and unload # operations on modular kernels. It is recommended to turn this on for most services that # do not need special file systems or extra kernel modules to work.