конфигурация среды выполнения (Execution environment configuration)
Безопасность (Security)
NoNewPrivileges=
Takes a boolean argument. If true, ensures that the service
process and all its children can never gain new privileges
through execve() (e.g. via setuid or setgid bits, or
filesystem capabilities). This is the simplest and most
effective way to ensure that a process and its children can
never elevate privileges again. Defaults to false, but
certain settings override this and ignore the value of this
setting. This is the case when DynamicUser=,
LockPersonality=, MemoryDenyWriteExecute=, PrivateDevices=,
ProtectClock=, ProtectHostname=, ProtectKernelLogs=,
ProtectKernelModules=, ProtectKernelTunables=,
RestrictAddressFamilies=, RestrictNamespaces=,
RestrictRealtime=, RestrictSUIDSGID=,
SystemCallArchitectures=, SystemCallFilter=, or
SystemCallLog= are specified. Note that even if this setting
is overridden by them, systemctl show shows the original
value of this setting. In case the service will be run in a
new mount namespace anyway and SELinux is disabled, all file
systems are mounted with MS_NOSUID flag. Also see No New
Privileges Flag
SecureBits=
Controls the secure bits set for the executed process. Takes
a space-separated combination of options from the following
list: keep-caps, keep-caps-locked, no-setuid-fixup,
no-setuid-fixup-locked, noroot, and noroot-locked. This
option may appear more than once, in which case the secure
bits are ORed. If the empty string is assigned to this
option, the bits are reset to 0. This does not affect
commands prefixed with "+". See capabilities(7) for details.
