[systemd-devel] Running a systemd service in capability-only environment as non-root user

Mantas Mikulėnas grawity at gmail.com
Tue May 27 12:11:45 PDT 2014


On Tue, May 27, 2014 at 4:31 PM, Michal Witanowski
<m.witanowski at samsung.com> wrote:
> Hi,
>
> first of all I'd like to mark that I'm not sure if I'm writing in the right
> place.
>
> I have a problem with running a systemd service in "capability-only
> environment": I want to run a process with some caps (cap_sys_admin
> cap_dac_override cap_mac_override) as a regular user (UID != 0).
> My service config file looks something like this:
>
> User=test
> CapabilityBoundingSet=cap_sys_admin cap_dac_override cap_mac_override
> Capabilities=cap_sys_admin,cap_dac_override,cap_mac_override=eip
> SecureBits=keep-caps
>
> Unfortunately, the process does not gain any permissive capabilities:
>
> CapInh: 0000000100200002
> CapPrm: 0000000000000000
> CapEff: 0000000000000000
> CapBnd: 0000000100200002
>
> However, when I run the service as root (by removing "User=test") the
> process does own required caps:
>
> CapInh: 0000000100200002
> CapPrm: 0000000100200002
> CapEff: 0000000100200002
> CapBnd: 0000000100200002

Does the executable file itself have these capabilities set as "=ei"?

According to the same manual page, each capability must be set as
inheritable for both the process and the file, to receive them _at
all_...

"P'(permitted) = (P(inheritable) & F(inheritable)) | (F(permitted) & cap_bset)"

...and as effective on the file, otherwise the new process has to
manually 'enable' them:

"P'(effective) = F(effective) ? P'(permitted) : 0"

...or at least that seems to be how it works. Damn thing is confusing.

-- 
Mantas Mikulėnas <grawity at gmail.com>


More information about the systemd-devel mailing list