[systemd-devel] CapabilityBoundingSet vs. ExecReload (kill)

[nusenu]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

>> I'm currently preparing a systemd service file for tor [1].
>> 
>> We make use of CapabilityBoundingSet and first we had it set to:
>> 
>> CapabilityBoundingSet = CAP_SETUID CAP_SETGID
>> CAP_NET_BIND_SERVICE
>> 
>> but after noticing that reloads fail I added CAP_KILL for reload
>> to work *via* the systemctl command.
>> 
>> CAP_KILL is not required if you reload the process manually (kill
>> -HUP $PID) without using systemctl.
>> 
>> That tells me that the ExecReload command (kill) is also
>> restricted by CapabilityBoundingSet. Is this expected and does
>> that imply that every service requires CAP_KILL for proper
>> reloads with systemctl? Is it possible to specify distinct
>> CapabilityBoundingSets for the service (ExecStart) and the reload
>> (ExecReload)?
> 
> Simply set PermissionsStartOnly=yes in your unit file. If so, the 
> permission-related settings (includeing CapabilityBoundingSet=)
> will only be applied to ExecStart=, not the ExecReload= or the
> other lines.

Thanks for this info!
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVQTIKAAoJEFv7XvVCELh0t70P/ihGRH0LPJGw/rrUw6Qp+t0A
tXNJU1K2Kur6xXuezGgsNXMKgnFnU1LRMrrvoD3hmjnicWlng+W5iYuHu3s8oWVo
asM+zXgyNFBtGVSEo2VFG2PrImEhNeooMEIGmTWVrBxqF2YdvaldZxipiCxH6qz7
xfgfUdbSojCBvT6DMYeIOgqOkilhZEucTt8vWBxtq/XwswzuLZfthB0rqZig0vLg
DHVFllBu2g1r+yK3aXBBcP0HaxOLeoX/3CKQ867CyVvo6nTJccJPYhYHpRwrkvxO
8wysFdpEkovtqQx3mcqnareCCPLfUUatw3kBptNVae/RVktZbtk3Fio7NnBHkJal
AcIkFNbj5qy5/YkMhORtXSOtUiysvhDKvvAU/+HrkQ1f1t7c4ULHHKSSBoucax90
PVS0bdFQ6F7rBrFG69niGG1KzOjcsYpFREj7lpn04dcWuOLe61ZrVcLgqN/erbSx
I5+wSmw0J2IorQ8xOu5PnctjlKv0WKNj58axb6Cs7FoDE941GNxuJeQTGcOQWO0v
5YDvCW0e4naXeO2lJ0vgFM9T3ZSK/qAAvNYPX6UFAE/uOxnXzY+cM1nl3y1lRAhu
HaSLLKvMyIOFYRurGNfNa0ynoMR1P4QHzO08+ierzV/DxTMmcMBuR386Qtfjl+eO
Ey4Sl/8T/xVPK5bTFS+U
=t2tA
-----END PGP SIGNATURE-----