From 87a85e25a2ebcc1e519249d0513e34bb20ceed49 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 10 Aug 2017 16:07:08 +0900
Subject: [PATCH] units: make use of !! ExecStart= prefix in
 systemd-timesyncd.service

Let's make use of !! to run timesyncd with ambient capabilities on
systems supporting them.
---
 src/timesync/timesyncd.c           | 10 +++++++---
 units/systemd-timesyncd.service.in |  8 +++++---
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c
index 86c14020b45..31e84b1aed3 100644
--- a/src/timesync/timesyncd.c
+++ b/src/timesync/timesyncd.c
@@ -111,9 +111,13 @@ int main(int argc, char *argv[]) {
         if (r < 0)
                 goto finish;
 
-        r = drop_privileges(uid, gid, (1ULL << CAP_SYS_TIME));
-        if (r < 0)
-                goto finish;
+        /* Drop privileges, but only if we have been started as root. If we are not running as root we assume all
+         * privileges are already dropped. */
+        if (geteuid() == 0) {
+                r = drop_privileges(uid, gid, (1ULL << CAP_SYS_TIME));
+                if (r < 0)
+                        goto finish;
+        }
 
         assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, -1) >= 0);
 
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 8d328bb80a4..e25d86d655b 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -12,7 +12,7 @@ ConditionCapability=CAP_SYS_TIME
 ConditionVirtualization=!container
 DefaultDependencies=no
 RequiresMountsFor=/var/lib/systemd/clock
-After=systemd-remount-fs.service systemd-tmpfiles-setup.service systemd-sysusers.service
+After=systemd-remount-fs.service systemd-sysusers.service
 Before=time-sync.target sysinit.target shutdown.target
 Conflicts=shutdown.target
 Wants=time-sync.target
@@ -21,9 +21,11 @@ Wants=time-sync.target
 Type=notify
 Restart=always
 RestartSec=0
-ExecStart=@rootlibexecdir@/systemd-timesyncd
+ExecStart=!!@rootlibexecdir@/systemd-timesyncd
 WatchdogSec=3min
-CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+User=systemd-timesync
+CapabilityBoundingSet=CAP_SYS_TIME
+AmbientCapabilities=CAP_SYS_TIME
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectSystem=strict