timesyncd: enable DynamicUser=

diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c
index d895aa8..c026ef7 100644 (file)
--- a/src/timesync/timesyncd.c
+++ b/src/timesync/timesyncd.c
@@ -69,7 +69,7 @@ static int load_clock_timestamp(uid_t uid, gid_t gid) {
                 }
 
         } else {
-                r = mkdir_safe_label("/var/lib/systemd/timesync", 0755, uid, gid, false);
+                r = mkdir_safe_label("/var/lib/systemd/timesync", 0755, uid, gid, true);
                 if (r < 0)
                         return log_error_errno(r, "Failed to create state directory: %m");
 

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 8d3f46c..ed4bc8e 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -23,11 +23,10 @@ RestartSec=0
 ExecStart=!!@rootlibexecdir@/systemd-timesyncd
 WatchdogSec=3min
 User=systemd-timesync
+DynamicUser=yes
 CapabilityBoundingSet=CAP_SYS_TIME
 AmbientCapabilities=CAP_SYS_TIME
-PrivateTmp=yes
 PrivateDevices=yes
-ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes