[systemd-devel] Non-root service with CAP_NET_RAW
grawity at gmail.com
Wed Mar 1 05:11:43 UTC 2017
CapabilityBoundingSet is the exact opposite of what you need, then. It's
the *bounding set*, it limits capabilities.
With recent kernels, you'll probably want AmbientCapabilities= as the
simplest option. (Can't remember when that was introduced though.)
With older kernels you'll have to use the older Capabilities= setting *and*
set file capabilities (setcap) on the executable itself.
(Well, depending on what file caps you set you might not even need any
systemd settings at all... See e.g. "getcap /sbin/ping" as a fully
standalone example, iirc it uses "cap_foo=eip" for this.)
On Wed, Mar 1, 2017, 00:40 Ian Pilcher <arequipeno at gmail.com> wrote:
Does anyone know of a "howto" or similar that lists the steps that I
need to take to run a service as a non-root user (nobody) with
I've tried adding CapabilityBoundingSet=CAP_NET_RAW to the [Service]
section of my unit file, but it doesn't appear to be working.
What else do I need to do?
Ian Pilcher arequipeno at gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
systemd-devel mailing list
systemd-devel at lists.freedesktop.org
Mantas Mikulėnas <grawity at gmail.com>
Sent from my phone
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the systemd-devel