units: make use of !! ExecStart= prefix in systemd-timesyncd.service

Let's make use of !! to run timesyncd with ambient capabilities on
systems supporting them.

src/timesync/timesyncd.c

@@ -111,9 +111,13 @@ int main(int argc, char *argv[]) {
         if (r < 0)
                 goto finish;
 
-        r = drop_privileges(uid, gid, (1ULL << CAP_SYS_TIME));
-        if (r < 0)
-                goto finish;
+        /* Drop privileges, but only if we have been started as root. If we are not running as root we assume all
+         * privileges are already dropped. */
+        if (geteuid() == 0) {
+                r = drop_privileges(uid, gid, (1ULL << CAP_SYS_TIME));
+                if (r < 0)
+                        goto finish;
+        }
 
         assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, -1) >= 0);
 

units/systemd-timesyncd.service.in

@@ -12,7 +12,7 @@ ConditionCapability=CAP_SYS_TIME
 ConditionVirtualization=!container
 DefaultDependencies=no
 RequiresMountsFor=/var/lib/systemd/clock
-After=systemd-remount-fs.service systemd-tmpfiles-setup.service systemd-sysusers.service
+After=systemd-remount-fs.service systemd-sysusers.service
 Before=time-sync.target sysinit.target shutdown.target
 Conflicts=shutdown.target
 Wants=time-sync.target
@@ -21,9 +21,11 @@ Wants=time-sync.target
 Type=notify
 Restart=always
 RestartSec=0
-ExecStart=@rootlibexecdir@/systemd-timesyncd
+ExecStart=!!@rootlibexecdir@/systemd-timesyncd
 WatchdogSec=3min
-CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+User=systemd-timesync
+CapabilityBoundingSet=CAP_SYS_TIME
+AmbientCapabilities=CAP_SYS_TIME
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectSystem=strict