From: Holger Weiss <holger@zedat.fu-berlin.de>
Date: Wed, 19 Oct 2016 21:11:26 +0000 (+0200)
Subject: Don't let systemd hide /home and /tmp
X-Git-Tag: 16.12-beta1~15^2^2~6
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f56840a68271c52fa17a51f7de2601e55da14018;p=ejabberd

Don't let systemd hide /home and /tmp

Admins might expect ejabberd to be able to access data below /home or
/tmp.  For example, they might use those locations to dump/restore
Mnesia backups, or as a document root for mod_http_fileserver or
mod_http_upload.

Fixes #1297.
---

diff --git a/ejabberd.service.template b/ejabberd.service.template
index 49ba14737..fdb8fd0b7 100644
--- a/ejabberd.service.template
+++ b/ejabberd.service.template
@@ -14,9 +14,7 @@ Type=oneshot
 RemainAfterExit=yes
 # The CAP_DAC_OVERRIDE capability is required for pam authentication to work
 CapabilityBoundingSet=CAP_DAC_OVERRIDE
-PrivateTmp=true
 PrivateDevices=true
-ProtectHome=true
 ProtectSystem=full
 NoNewPrivileges=true