scripts: add NoNewPrivileges=true to systemd unit file (#5381)

Also add comment about unsupported options in different systemd versions.
2025-05-28 10:12:37 +00:00 · 2018-08-16 21:07:36 +10:00 · 2018-08-16 21:07:36 +10:00 · 3c227af508
commit 3c227af508
parent 4c1a479a60
1 changed files with 4 additions and 1 deletions
--- a/scripts/systemd/gogs.service
+++ b/scripts/systemd/gogs.service
@ -18,10 +18,13 @@ WorkingDirectory=/home/git/gogs
 ExecStart=/home/git/gogs/gogs web
 Restart=always
 Environment=USER=git HOME=/home/git
-# Hardening
+
+# Some distributions may not support these hardening directives. If you cannot start the service due
+# to an unknown option, comment out the ones not supported by your version of systemd.
 ProtectSystem=full
 PrivateDevices=yes
 PrivateTmp=yes
+NoNewPrivileges=true

 [Install]
 WantedBy=multi-user.target