On Mon, 5 Sep 2016, Philipp Huebner wrote: > Am 05.09.2016 um 08:34 schrieb Jasper Wallace: > > commenting out "NoNewPrivileges=true" in the 16.08 > > ejabberd.service makes it work. > > > > Also is "CapabilityBoundingSet=CAP_DAC_OVERRIDE" needed?, afaict it > > actually broadens ejabberd privileges rather than narrows them (it works > > without it). > > Please see https://github.com/processone/ejabberd/pull/1178 about that. > > Could you try > "setcap CAP_DAC_OVERRIDE=+ep /usr/lib/erlang/p1_pam/bin/epam" > instead of using sgid shadow and report back?
Just had a chance to try it - it works. But if "NoNewPrivileges=true" is added back to the .service file it breaks again. > Regards, > -- [http://pointless.net/] [0x416333590FC0E569]
