From 714bb991aa18b1f96a394c69ffafbb8b70312dec Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Thu, 3 Nov 2022 23:11:13 +0000 Subject: [PATCH] systemd: use PrivateUsers= in user unit ProtectSystem= and other sandboxing options require a user namespace in order to work as user units (the user manager does not run as root and thus without a user namespace it is unable to perform mounts). --- systemd/user/mpd.service.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/systemd/user/mpd.service.in b/systemd/user/mpd.service.in index 4ee7015d0..91b24dc5f 100644 --- a/systemd/user/mpd.service.in +++ b/systemd/user/mpd.service.in @@ -19,6 +19,8 @@ LimitRTTIME=infinity # for io_uring LimitMEMLOCK=64M +# Required in order for ProtectSystem= (and other sandboxing) to work +PrivateUsers=yes # disallow writing to /usr, /bin, /sbin, ... ProtectSystem=yes