fix: archivmail.service benötigt CAP_NET_ADMIN für Firewall-Aktivierung
Der Admin-Endpoint "Firewall aktivieren" (POST /api/admin/security/fix, enable_firewall) ruft "nft -f /etc/nftables.conf" auf. flush ruleset benötigt CAP_NET_ADMIN, das fehlte bisher in der systemd-Unit, wodurch der Aufruf mit "Operation not permitted" fehlschlug. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
sysops
+3
-2
@@ -628,8 +628,9 @@ Requires=postgresql.service manticore.service
|
||||
Type=simple
|
||||
User=${AM_USER}
|
||||
Group=${AM_USER}
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
# CAP_NET_ADMIN: required for the admin "enable firewall" action (nft -f /etc/nftables.conf)
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
|
||||
ExecStart=${INSTALL_DIR}/archivmail --config ${CONFIG_DIR}/config.yml
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
|
||||
Reference in New Issue
Block a user