Use ambient capabilities to restrict systemd permissions

As the [Restic docs suggest](https://restic.readthedocs.io/en/latest/080_examples.html#using-ambient-capabilities-with-systemd), in the systemd services registered for resticprofile, there should be (at least as an option) the following values set:

```
# /etc/systemd/system/resticprofile-backup@profile-example.service

[Service]
# ... other directives
DynamicUser=yes
AmbientCapabilities=CAP_DAC_READ_SEARCH
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
```

This allows readonly access to all files but runs as a nonroot user (dynamic user with that permission only).

Note that this does *not* require setting up a particular restic user as the [resticprofile docs](https://creativeprojects.github.io/resticprofile/usage/noroot/index.html) describe.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Use ambient capabilities to restrict systemd permissions #607

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Use ambient capabilities to restrict systemd permissions #607

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions