options such as mail might require setuid/setgid and hence we can't disable this by default

aafb1585 · mh · 9dee3ca7 · aafb1585 · aafb1585
Commit aafb1585 authored Jan 07, 2019 by mh
--- a/manifests/fpm.pp
+++ b/manifests/fpm.pp
@@ -8,6 +8,7 @@ define php::fpm(
  Hash                            $additional_envs = {},
  Hash                            $php_settings    = {},
  Hash                            $fpm_settings    = {},
+  Hash                            $systemd_options = {},
  String                          $run_user        = "${name}_run",
  String                          $run_group       = $name,
  Array[Stdlib::Compat::Absolute_Path]

--- a/templates/fpm/systemd-service.erb
+++ b/templates/fpm/systemd-service.erb
@@ -16,7 +16,9 @@ RuntimeDirectory=fpm-<%= @name %>
 SyslogIdentifier=fpm-<%= @name %>
 # security settings
 PrivateTmp=true
+<% if @systemd_options['no_new_privileges'] -%>
 NoNewPrivileges=true
+<% end -%>
 ProtectSystem=full
 # to be migrated once in EL7
 # ProtectSystem=strict