[systemd-devel] CapabilityBoundingSet vs. ExecReload (kill)
Lennart Poettering
lennart at poettering.net
Wed Apr 8 14:31:34 PDT 2015
On Wed, 18.03.15 19:56, Nusenu (nusenu at openmailbox.org) wrote:
> Hi,
>
> I'm currently preparing a systemd service file for tor [1].
>
> We make use of CapabilityBoundingSet and first we had it set to:
>
> CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
>
> but after noticing that reloads fail I added CAP_KILL for reload to
> work *via* the systemctl command.
>
> CAP_KILL is not required if you reload the process manually (kill -HUP
> $PID) without using systemctl.
>
> That tells me that the ExecReload command (kill) is also restricted by
> CapabilityBoundingSet. Is this expected and does that imply that every
> service requires CAP_KILL for proper reloads with systemctl?
> Is it possible to specify distinct CapabilityBoundingSets for the
> service (ExecStart) and the reload (ExecReload)?
Simply set PermissionsStartOnly=yes in your unit file. If so, the
permission-related settings (includeing CapabilityBoundingSet=) will
only be applied to ExecStart=, not the ExecReload= or the other lines.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list