scripts: add NoNewPrivileges=true to systemd unit file (#5381)

Also add comment about unsupported options in different systemd versions.
author: Steven Haigh <netwiz@crc.id.au> 2018-08-16 21:07:36 +1000
committer: 无闻 <u@gogs.io> 2018-08-16 19:07:36 +0800
commit: 3c227af508b085f9113c36892ce9c52b940761f9 (patch)
tree: 2b34d8fd733d3b60d03e26c4751492a0ec8cc8ef /scripts/systemd
parent: 4c1a479a60c0cebd7715f6e79d48471b91b28671 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/scripts/systemd/gogs.service b/scripts/systemd/gogs.service
index d9f12e30..3a89662a 100644
--- a/scripts/systemd/gogs.service
+++ b/scripts/systemd/gogs.service
@@ -18,10 +18,13 @@ WorkingDirectory=/home/git/gogs
 ExecStart=/home/git/gogs/gogs web
 Restart=always
 Environment=USER=git HOME=/home/git
-# Hardening
+
+# Some distributions may not support these hardening directives. If you cannot start the service due
+# to an unknown option, comment out the ones not supported by your version of systemd.
 ProtectSystem=full
 PrivateDevices=yes
 PrivateTmp=yes
+NoNewPrivileges=true
 
 [Install]
 WantedBy=multi-user.target
author	Steven Haigh <netwiz@crc.id.au>	2018-08-16 21:07:36 +1000
committer	无闻 <u@gogs.io>	2018-08-16 19:07:36 +0800
commit	3c227af508b085f9113c36892ce9c52b940761f9 (patch)
tree	2b34d8fd733d3b60d03e26c4751492a0ec8cc8ef /scripts/systemd
parent	4c1a479a60c0cebd7715f6e79d48471b91b28671 (diff)