ead7af3093
It's lightweight and generally useful, so it should be enabled by default. But users might want to disable it for whatever reason, and things should be fine without it, so let's make it installable so it can be disabled if wanted. Fixes #15175.
45 lines
1.1 KiB
SYSTEMD
45 lines
1.1 KiB
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1+
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=User Database Manager
|
|
Documentation=man:systemd-userdbd.service(8)
|
|
Requires=systemd-userdbd.socket
|
|
After=systemd-userdbd.socket
|
|
Before=sysinit.target
|
|
DefaultDependencies=no
|
|
|
|
[Service]
|
|
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
|
|
ExecStart=@rootlibexecdir@/systemd-userdbd
|
|
IPAddressDeny=any
|
|
LimitNOFILE=@HIGH_RLIMIT_NOFILE@
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
NoNewPrivileges=yes
|
|
PrivateDevices=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHome=yes
|
|
ProtectHostname=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectSystem=strict
|
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallFilter=@system-service
|
|
Type=notify
|
|
@SERVICE_WATCHDOG@
|
|
|
|
[Install]
|
|
Also=systemd-userdbd.socket
|