ansible-vault
ansible-vault copied to clipboard
AmbientCapabilities in systemd units is more privileged than Hashicorp's unit
While reviewing the official Hashicorp Vault Hardening guidelines, I found a difference between in the systemd unit of this repository and the official units installed with hashicorp linux packages.
One of the more relevant part for me is AmbientCapabilities
, which is set to CAP_IPC_LOCK
on Hashicorp repo, but CAP_SYSLOG CAP_IPC_LOCK
here.
This modification was added in this commit https://github.com/ansible-community/ansible-vault/commit/5c4f74aef5724434c15efae5ae01740b7b5020f0 without much explanation, and I have tested on my setup reverting to AmbientCapabilities=CAP_IPC_LOCK
without any issues.
Why is there this difference ? If there is no specific reason, I would be pleased to contribute to this repo with this simple PR!
There are also other difference, for ulimits
for example, but there are not a specific issue in my case.