From 162e0b75f9c9f698f94c228c2f9148120f03e9a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 19 Sep 2018 10:00:09 +0200
Subject: [PATCH] Revert "timesyncd: enable DynamicUser="
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This reverts commit 48d3e88c18258d423c3953372ec4a2e638ab0422.

I kept the follow-symlink=false → follow-symlink=true change instact, since
we're likely to have existing installations with a symlink now.
---
 units/systemd-timesyncd.service.in | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 7478906ae5..12f918dd11 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -25,10 +25,11 @@ RestartSec=0
 ExecStart=!!@rootlibexecdir@/systemd-timesyncd
 WatchdogSec=3min
 User=systemd-timesync
-DynamicUser=yes
 CapabilityBoundingSet=CAP_SYS_TIME
 AmbientCapabilities=CAP_SYS_TIME
+PrivateTmp=yes
 PrivateDevices=yes
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes