[systemd-devel] CapabilityBoundingSet vs. ExecReload (kill)

Lennart Poettering lennart at poettering.net
Wed Apr 8 14:31:34 PDT 2015


On Wed, 18.03.15 19:56, Nusenu (nusenu at openmailbox.org) wrote:

> Hi,
> 
> I'm currently preparing a systemd service file for tor [1].
> 
> We make use of CapabilityBoundingSet and first we had it set to:
> 
> CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
> 
> but after noticing that reloads fail I added CAP_KILL for reload to
> work *via* the systemctl command.
> 
> CAP_KILL is not required if you reload the process manually (kill -HUP
> $PID) without using systemctl.
> 
> That tells me that the ExecReload command (kill) is also restricted by
> CapabilityBoundingSet. Is this expected and does that imply that every
> service requires CAP_KILL for proper reloads with systemctl?
> Is it possible to specify distinct CapabilityBoundingSets for the
> service (ExecStart) and the reload (ExecReload)?

Simply set PermissionsStartOnly=yes in your unit file. If so, the
permission-related settings (includeing CapabilityBoundingSet=) will
only be applied to ExecStart=, not the ExecReload= or the other lines.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list