Comment on PrivateUsers option for gitea.service (#20383)

* Comment on PrivateUsers option for gitea.service

A user happens to encounter an issue where PrivateUsers sandboxed Gitea.service and it effectively stop systemd from applying capabilities for that gitea.service. I am opening this PR to provide comments on PrivateUsers, effectively a tiny FAQ information for end-user.

diff --git a/contrib/systemd/gitea.service b/contrib/systemd/gitea.service
index d6a4377ec8091b816a7dda3d194b570f9ca9e596..79c34564bc977b4f447f185308eeb8444d7e054f 100644 (file)
--- a/contrib/systemd/gitea.service
+++ b/contrib/systemd/gitea.service
@@ -78,6 +78,13 @@ Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
 #CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 #AmbientCapabilities=CAP_NET_BIND_SERVICE
 ###
+# In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to
+# set the following value to false to allow capabilities to be applied on gitea process. The following
+# value if set to true sandboxes gitea service and prevent any processes from running with privileges
+# in the host user namespace.
+###
+#PrivateUsers=false
+###
 
 [Install]
 WantedBy=multi-user.target