Remove the PrivateDevices option from gpx-import
authorTom Hughes <tom@compton.nu>
Mon, 16 Jul 2018 11:15:01 +0000 (12:15 +0100)
committerTom Hughes <tom@compton.nu>
Mon, 16 Jul 2018 11:15:01 +0000 (12:15 +0100)
This now implies NoNewPrivileges=true which stops gpx-import
being able to run the (setuid) exim to send mail.

cookbooks/web/recipes/gpx.rb

index ecf63a9a9573dcfeea8b8da0559270d9feb68f56..370b3113fd115d84f2d0df2b7e41b593da5ce422 100644 (file)
@@ -74,7 +74,6 @@ systemd_service "gpx-import" do
   exec_start "#{gpx_directory}/src/gpx-import"
   exec_reload "/bin/kill -HUP $MAINPID"
   private_tmp true
-  private_devices true
   protect_system "full"
   protect_home true
   restart "on-failure"