[systemd-devel] Running a systemd service in capability-only environment as non-root user
Michal Witanowski
m.witanowski at samsung.com
Tue May 27 06:31:43 PDT 2014
Hi,
first of all I'd like to mark that I'm not sure if I'm writing in the
right place.
I have a problem with running a systemd service in "capability-only
environment": I want to run a process with some caps (cap_sys_admin
cap_dac_override cap_mac_override) as a regular user (UID != 0).
My service config file looks something like this:
User=test
CapabilityBoundingSet=cap_sys_admin cap_dac_override cap_mac_override
Capabilities=cap_sys_admin,cap_dac_override,cap_mac_override=eip
SecureBits=keep-caps
Unfortunately, the process does not gain any permissive capabilities:
CapInh: 0000000100200002
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000000100200002
However, when I run the service as root (by removing "User=test") the
process does own required caps:
CapInh: 0000000100200002
CapPrm: 0000000100200002
CapEff: 0000000100200002
CapBnd: 0000000100200002
It looks like the "SecureBits=keep-caps" option, which should preserve
permissive caps after root drop according to [1], does not work. Am I
doing something wrong?
Any response would be very helpful.
Best Regards,
Michal Witanowski
[1] http://linux.die.net/man/7/capabilities
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140527/13e71878/attachment.html>
More information about the systemd-devel
mailing list