From 3c227af508b085f9113c36892ce9c52b940761f9 Mon Sep 17 00:00:00 2001
From: Steven Haigh <netwiz@crc.id.au>
Date: Thu, 16 Aug 2018 21:07:36 +1000
Subject: [PATCH] scripts: add NoNewPrivileges=true to systemd unit file
 (#5381)

Also add comment about unsupported options in different systemd versions.
---
 scripts/systemd/gogs.service | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/scripts/systemd/gogs.service b/scripts/systemd/gogs.service
index d9f12e30e..3a89662a8 100644
--- a/scripts/systemd/gogs.service
+++ b/scripts/systemd/gogs.service
@@ -18,10 +18,13 @@ WorkingDirectory=/home/git/gogs
 ExecStart=/home/git/gogs/gogs web
 Restart=always
 Environment=USER=git HOME=/home/git
-# Hardening
+
+# Some distributions may not support these hardening directives. If you cannot start the service due
+# to an unknown option, comment out the ones not supported by your version of systemd.
 ProtectSystem=full
 PrivateDevices=yes
 PrivateTmp=yes
+NoNewPrivileges=true
 
 [Install]
 WantedBy=multi-user.target