module.nix: grant CAP_DAC_READ_SEARCH to daemon

2026-04-29 05:05:21 +09:00
parent b9b5fa5735
commit a0d5034e85
1 changed files with 4 additions and 2 deletions
@@ -73,8 +73,10 @@ in {
        # PrivateUsers = true;
        # ProtectHome = true;

-        AmbientCapabilities = "";
-        CapabilityBoundingSet = "";
+        # NOTE: We need this capability to be able to read inside the home directories of users without
+        #       them needing to open their homedirs to the rest of the system.
+        AmbientCapabilities = [ "CAP_DAC_READ_SEARCH" ];
+        CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
        DeviceAllow = "";
        DevicePolicy = "closed";
        LockPersonality = true;