<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Hi,<br>
    <br>
    first of all I'd like to mark that I'm not sure if I'm writing in
    the right place.<br>
    <br>
    I have a problem with running a systemd service in "capability-only
    environment": I want to run a process with some caps (cap_sys_admin
    cap_dac_override cap_mac_override) as a regular user (UID != 0).<br>
    My service config file looks something like this:<br>
    <blockquote><tt>User=test</tt><tt><br>
      </tt><tt>CapabilityBoundingSet=cap_sys_admin cap_dac_override
        cap_mac_override</tt><tt><br>
      </tt><tt>Capabilities=cap_sys_admin,cap_dac_override,cap_mac_override=eip</tt><tt><br>
      </tt><tt>SecureBits=keep-caps</tt><br>
    </blockquote>
    Unfortunately, the process does not gain any permissive
    capabilities:<br>
    <blockquote><tt>CapInh: 0000000100200002</tt><tt><br>
      </tt><tt>CapPrm: 0000000000000000</tt><tt><br>
      </tt><tt>CapEff: 0000000000000000</tt><tt><br>
      </tt><tt>CapBnd: 0000000100200002</tt><br>
    </blockquote>
    However, when I run the service as root (by removing "User=test")
    the process does own required caps:<br>
    <blockquote><tt>CapInh: 0000000100200002</tt><tt><br>
      </tt><tt>CapPrm: 0000000100200002</tt><tt><br>
      </tt><tt>CapEff: 0000000100200002</tt><tt><br>
      </tt><tt>CapBnd: 0000000100200002</tt><br>
    </blockquote>
    It looks like the "SecureBits=keep-caps" option, which should
    preserve permissive caps after root drop according to [1], does not
    work. Am I doing something wrong?<br>
    <br>
    Any response would be very helpful.<br>
    <br>
    Best Regards,<br>
    Michal Witanowski<br>
    <br>
    [1] <a href="http://linux.die.net/man/7/capabilities">http://linux.die.net/man/7/capabilities</a><br>
  </body>
</html>