[systemd-devel] CapabilityBoundingSet vs. ExecReload (kill)
Reindl Harald
h.reindl at thelounge.net
Wed Mar 18 13:09:40 PDT 2015
Am 18.03.2015 um 20:56 schrieb Nusenu:
> I'm currently preparing a systemd service file for tor [1].
>
> We make use of CapabilityBoundingSet and first we had it set to:
>
> CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
>
> but after noticing that reloads fail I added CAP_KILL for reload to
> work *via* the systemctl command.
>
> CAP_KILL is not required if you reload the process manually (kill -HUP
> $PID) without using systemctl.
>
> That tells me that the ExecReload command (kill) is also restricted by
> CapabilityBoundingSet. Is this expected and does that imply that every
> service requires CAP_KILL for proper reloads with systemctl?
> Is it possible to specify distinct CapabilityBoundingSets for the
> service (ExecStart) and the reload (ExecReload)?
recent systemd has more problems in context of systemctl and restricting
even PID1 itself in a way no longer be able to kill processes
https://bugzilla.redhat.com/show_bug.cgi?id=1184016#c4
https://bugzilla.redhat.com/show_bug.cgi?id=1088619#c84
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150318/03533ae2/attachment.sig>
More information about the systemd-devel
mailing list