[systemd-devel] CapabilityBoundingSet vs. ExecReload (kill)

Reindl Harald h.reindl at thelounge.net
Wed Mar 18 13:09:40 PDT 2015

Am 18.03.2015 um 20:56 schrieb Nusenu:
> I'm currently preparing a systemd service file for tor [1].
> We make use of CapabilityBoundingSet and first we had it set to:
> but after noticing that reloads fail I added CAP_KILL for reload to
> work *via* the systemctl command.
> CAP_KILL is not required if you reload the process manually (kill -HUP
> $PID) without using systemctl.
> That tells me that the ExecReload command (kill) is also restricted by
> CapabilityBoundingSet. Is this expected and does that imply that every
> service requires CAP_KILL for proper reloads with systemctl?
> Is it possible to specify distinct CapabilityBoundingSets for the
> service (ExecStart) and the reload (ExecReload)?

recent systemd has more problems in context of systemctl and restricting 
even PID1 itself in a way no longer be able to kill processes


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150318/03533ae2/attachment.sig>

More information about the systemd-devel mailing list