systemd: use PrivateUsers= in user unit

ProtectSystem= and other sandboxing options require a user namespace in order to work as user units (the user manager does not run as root and thus without a user namespace it is unable to perform mounts).
2022-11-03 23:11:13 +00:00 · 2022-11-03 23:11:13 +00:00 · 714bb991aa
parent 0efbd4df8b
commit 714bb991aa
1 changed files with 2 additions and 0 deletions
--- a/systemd/user/mpd.service.in
+++ b/systemd/user/mpd.service.in
@ -19,6 +19,8 @@ LimitRTTIME=infinity
 # for io_uring
 LimitMEMLOCK=64M

+# Required in order for ProtectSystem= (and other sandboxing) to work
+PrivateUsers=yes
 # disallow writing to /usr, /bin, /sbin, ...
 ProtectSystem=yes