[systemd-devel] CapabilityBoundingSet vs. ExecReload (kill)

Nusenu nusenu at openmailbox.org
Wed Mar 18 12:56:34 PDT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I'm currently preparing a systemd service file for tor [1].

We make use of CapabilityBoundingSet and first we had it set to:

CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE

but after noticing that reloads fail I added CAP_KILL for reload to
work *via* the systemctl command.

CAP_KILL is not required if you reload the process manually (kill -HUP
$PID) without using systemctl.

That tells me that the ExecReload command (kill) is also restricted by
CapabilityBoundingSet. Is this expected and does that imply that every
service requires CAP_KILL for proper reloads with systemctl?
Is it possible to specify distinct CapabilityBoundingSets for the
service (ExecStart) and the reload (ExecReload)?

thanks,
Nusenu
I'm testing on debian jessie (using systemd 215).

[1]
https://github.com/nusenu/tor-multi-instance-initscripts/blob/master/debian/tor.service
https://bugs.torproject.org/14995
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVCdhuAAoJEFv7XvVCELh06YoQAKAlh6ChGYm2ZIJU0keuCZ9c
24yqBXjmS9w6Of40u5sySu1MDo+UcjqEM/h7WxxDOlJsRRnKf8I3VOHpoOWaqfpC
36/AynnL5IO5lmaAmrrq6IfQ1h0Zrbns8HsOnHPcubg7v2O7WhaWDkZtHsjweG4Z
EcThzJUaoFRyMWThoCecG+ASrAnIMr6ArNP2bJ8wuQuxqnKetfqIdvJtGx3P2OLA
TbZ1AqmPEAFoHq3yQIRZyfW4Qu/9YHxmXm9se0k0lCnHyPf1RLrWUtqzvGDMSY+M
fAMsi8hgz10wM4XB1UoSJpYki/Bci8pMT4HBl/g200ss/qmBUNEyhCC+2tWpoBJx
D6VYSbsBUdzVJDKUQHYn86/Q+Y2ZbzlYJdENJr/O5RgT+5UrgqdJiAP4PY/MZEsi
RzieVlOdMUW1p9y0kb6UqzNtvNl8ke63UAxn4teaHXNMOVbqoF1J3/Nx3kgwsFRl
lyRixX+Tqqajx3ZeMPxodXFPeRTJAH4Jm7CQ6jHROYOdCb86RnXznYaWfPGh4jcU
oxx3nTqz82jSPchCLMx2wrzf0cgVN8qa5XWyZR+hJ5wK8AhgEZZ1F+w0EyqvAcbW
8RXzkLWEwEBGhONYi4brVEH8jxX9KkQisltPIz558lRQJcj7ad6pHrubu45nFYoM
+aNJen86BnUQsW7gbkMq
=bKlR
-----END PGP SIGNATURE-----


More information about the systemd-devel mailing list