[Unit]
Description=Update the locate database
Documentation=man:updatedb

[Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectHome=read-only
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_CHOWN CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
IPAddressDeny=any
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateTmp=true
PrivateNetwork=true
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service @chown
Type=oneshot
ExecStart=/bin/sh -c \
          "chown -R ${RUN_UPDATEDB_AS}:root /var/lib/plocate && \
          su --shell=/bin/sh ${RUN_UPDATEDB_AS} -c 'umask 0022; /usr/sbin/updatedb'"

# Unfortunately, the umask we set here is lost because we invoke updatedb
# through 'su' to change to the user ${RUN_UPDATEDB_AS}. See bnc#941296 and
# bnc#1209409 for further details.
UMask=0022

LimitNOFILE=131072

# Alter the priority of the updatedb process
Nice=19
IOSchedulingClass=idle

# Load sysconfig
EnvironmentFile=/etc/sysconfig/locate