From 895464f92f960725cf45f427dfeefcab9bce224e Mon Sep 17 00:00:00 2001
From: Luke Shumaker <lukeshu@lukeshu.com>
Date: Fri, 31 Aug 2018 01:56:41 -0400
Subject: Drop privileges

---
 qemu.in          | 3 +++
 qemu@.service.in | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/qemu.in b/qemu.in
index 566cacf..c3385f8 100755
--- a/qemu.in
+++ b/qemu.in
@@ -7,10 +7,13 @@ numactl=()
 source "@pkgconfdir@/$1"
 args+=(
 	-name "$1",debug-threads=on
+	-runas "$USER"
 	-pidfile "@runstatedir@/qemu-$1/pid"
+
 	-vnc     unix:"@runstatedir@/qemu-$1/vnc.sock"
 	-monitor unix:"@runstatedir@/qemu-$1/monitor.sock",server,nowait
 	-serial  file:"/dev/stdout"
+
 	-daemonize
 )
 
diff --git a/qemu@.service.in b/qemu@.service.in
index 000419e..cc4c925 100644
--- a/qemu@.service.in
+++ b/qemu@.service.in
@@ -7,10 +7,11 @@ Before=machines.target
 [Service]
 Type=notify
 NotifyAccess=all
+DynamicUser=yes
 RuntimeDirectory=qemu-%I
 PIDFile=@runstatedir@/qemu-%I/pid
-ExecStart=@BINPROG@ %I
-ExecStop=@SOCAT@ SYSTEM:'echo system_powerdown; sleep infinity' UNIX-CONNECT:@runstatedir@/qemu-%I/monitor.sock
+ExecStart=!@BINPROG@ %I
+ExecStop=!@SOCAT@ SYSTEM:'echo system_powerdown; sleep infinity' UNIX-CONNECT:@runstatedir@/qemu-%I/monitor.sock
 
 [Install]
 WantedBy=machines.target
-- 
cgit v1.1-4-g5e80