Using NoNewPriviliges=no in systemd process?

hello, I’m working on reviving an old scuttlebutt pub yunohost package that was archived – since the time it was archived (set to unmaintained) there have been a new better working implementation of scuttlebutt which I am integrating.

In this package, there is one web app process (called peach-web), which monitors, stops and restarts a second process which is the scuttlebutt server (called tilde-sbot) via systemd.

Three years ago I was able to make this work by adding a file to /etc/suoders.d/peachpub_ynh which explicitly allowed the peach-web process to stop, start and restart tilde-sbot via systemctl (file is here: peachpub_ynh/conf/sudoers at master · YunoHost-Apps/peachpub_ynh · GitHub)

However, now when I have tried to do this, I still run into the error:

sudo: The \"no new privileges\" flag is set, which prevents sudo from running as root.\nsudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.

I have tried adjusting the permissions of the systemd unit for peach-web, but still I am running into this issue.

I wanted to sanity check – has there been a change to yunohost that sets the NoNewPriviliges=yes for my systemd unit somewhere earlier that it inherits?

Here is the systemd unit I am using for peach-web:

[Unit]
Description=peach-web service
After=network.target

[Service]
Type=simple
User=peachpub_ynh
Group=peachpub_ynh
Restart=always
WorkingDirectory=/var/www/peachpub_ynh/
Environment="PEACH_CONFIGDIR=/var/www/peachpub_ynh/config"
Environment="PEACH_CONFIG_PATH=/var/www/peachpub_ynh/config/config.yml"
Environment="RUST_LOG=info"
ExecStart=/var/www/peachpub_ynh/peach-web
StandardOutput=append:/var/log/peachpub_ynh/peachpub_ynh-peach-web.log
StandardError=inherit

# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=no
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @swap

# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
#CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG

[Install]
WantedBy=multi-user.target

And here are the commands that make me think that something else might be enforcing NoNewPrivileges despite my setting it as no in the sytemd unit:

root@apub:/srv/priv# systemctl show -p MainPID peachpub_ynh-peach-web.service
MainPID=110161
root@apub:/srv/priv# cat /proc/110161/status | grep NoNewPrivs
NoNewPrivs:	1

Thanks for any guidance!

update: I just tried temporarily commenting out all of the sandboxing lines on the systemdunit file, and this got rid of the issue and got NoNewPrivs: 0.

Therefore I will just try through slow process of elimination to figure out what is needed.

Not sure to understand why does it require high privileges.

@jarod5001 peach-web uses systemctl to monitor and manage tilde-sbot

the additional sudoers file allows running:

systemctl start tilde-sbot
systemctl stop tilde-sbot
systemctl restart tilde-sbot
systemctl enable tilde-sbot
systemctl disable tilde-sbot

by process of elimination, the following lines needed to be commented in order to allow peach-web to stop and restart tilde-sbot via systemctl:

#NoNewPrivileges=yes
#PrivateDevices=yes
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
#RestrictNamespaces=yes
#RestrictRealtime=yes
#ProtectKernelModules=yes
#ProtectKernelTunables=yes
#LockPersonality=yes
#SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @swap