[systemd-devel] Non-root service with CAP_NET_RAW
Mantas Mikulėnas
grawity at gmail.com
Wed Mar 1 05:11:43 UTC 2017
CapabilityBoundingSet is the exact opposite of what you need, then. It's
the *bounding set*, it limits capabilities.
With recent kernels, you'll probably want AmbientCapabilities= as the
simplest option. (Can't remember when that was introduced though.)
With older kernels you'll have to use the older Capabilities= setting *and*
set file capabilities (setcap) on the executable itself.
(Well, depending on what file caps you set you might not even need any
systemd settings at all... See e.g. "getcap /sbin/ping" as a fully
standalone example, iirc it uses "cap_foo=eip" for this.)
On Wed, Mar 1, 2017, 00:40 Ian Pilcher <arequipeno at gmail.com> wrote:
Does anyone know of a "howto" or similar that lists the steps that I
need to take to run a service as a non-root user (nobody) with
CAP_NET_RAW?
I've tried adding CapabilityBoundingSet=CAP_NET_RAW to the [Service]
section of my unit file, but it doesn't appear to be working.
What else do I need to do?
Thanks!
--
========================================================================
Ian Pilcher arequipeno at gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
_______________________________________________
systemd-devel mailing list
systemd-devel at lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
Mantas Mikulėnas <grawity at gmail.com>
Sent from my phone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20170301/79c3fbe9/attachment-0001.html>
More information about the systemd-devel
mailing list