[systemd-devel] CapabilityBoundingSet vs. ExecReload (kill)

Reindl Harald h.reindl at thelounge.net
Thu Mar 19 10:22:46 PDT 2015

Am 19.03.2015 um 18:04 schrieb Nusenu:
>>> That tells me that the ExecReload command (kill) is also
>>> restricted by CapabilityBoundingSet. Is this expected [..]?
>> recent systemd has more problems in context of systemctl and
>> restricting even PID1 itself in a way no longer be able to kill
>> processes
> thanks for the links. so you are saying this is just a bug and indeed
> not expected?

to be honest i don't know but i hope it's not excpected so it can go 
away sonner or later - while i understand the intention restrict even 
systemd pieces itself as much as possible some of this things are in the 
way when you try to secure a customized service as much as possible

as example there is "PermissionsStartOnly=true" which helps to have a 
"ExecStartPre" script to ensure permissions and apply User/Group only to 
"ExecStart" the same don#t work for "ReadOnlyDirectories" which are 
unconditionally applied *before* ExecStartPre

what i would like in some cases is to have a "ExecStartPre" script which 
takes acre of owner, group, permissions and so on on folders which are 
finally protected by "ReadOnlyDirectories" - in otehr words: make sure 
that the service binary has read-permissions without the need of a own 
root-unit ordered with Before/After beause that don't sale with 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150319/4edd5ae9/attachment.sig>

More information about the systemd-devel mailing list