[systemd-devel] CapabilityBoundingSet vs. ExecReload (kill)
h.reindl at thelounge.net
Wed Mar 18 13:09:40 PDT 2015
Am 18.03.2015 um 20:56 schrieb Nusenu:
> I'm currently preparing a systemd service file for tor .
> We make use of CapabilityBoundingSet and first we had it set to:
> CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
> but after noticing that reloads fail I added CAP_KILL for reload to
> work *via* the systemctl command.
> CAP_KILL is not required if you reload the process manually (kill -HUP
> $PID) without using systemctl.
> That tells me that the ExecReload command (kill) is also restricted by
> CapabilityBoundingSet. Is this expected and does that imply that every
> service requires CAP_KILL for proper reloads with systemctl?
> Is it possible to specify distinct CapabilityBoundingSets for the
> service (ExecStart) and the reload (ExecReload)?
recent systemd has more problems in context of systemctl and restricting
even PID1 itself in a way no longer be able to kill processes
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the systemd-devel