Use dynamic unprivileged user instead of root. (#27)

metal-stack · Dec 9, 2024 · 0f88df0 · 0f88df0
1 parent a849783
commit 0f88df0
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/systemd/nftables-exporter.service b/systemd/nftables-exporter.service
@@ -6,8 +6,9 @@ After=network-online.target
 Type=simple
 PIDFile=/run/nftables_exporter.pid
 ExecStart=/usr/bin/nftables-exporter
-User=root
-Group=root
+DynamicUser=true
+AmbientCapabilities=CAP_NET_ADMIN
+NoNewPrivileges=true
 SyslogIdentifier=nftables-exporter
 Restart=on-failure
 RemainAfterExit=no