[systemd-devel] Non-root service with CAP_NET_RAW

Mantas Mikulėnas grawity at gmail.com
Wed Mar 1 05:11:43 UTC 2017


CapabilityBoundingSet is the exact opposite of what you need, then. It's
the *bounding set*, it limits capabilities.

With recent kernels, you'll probably want AmbientCapabilities= as the
simplest option. (Can't remember when that was introduced though.)

With older kernels you'll have to use the older Capabilities= setting *and*
set file capabilities (setcap) on the executable itself.

(Well, depending on what file caps you set you might not even need any
systemd settings at all... See e.g. "getcap /sbin/ping" as a fully
standalone example, iirc it uses "cap_foo=eip" for this.)

On Wed, Mar 1, 2017, 00:40 Ian Pilcher <arequipeno at gmail.com> wrote:

Does anyone know of a "howto" or similar that lists the steps that I
need to take to run a service as a non-root user (nobody) with
CAP_NET_RAW?

I've tried adding CapabilityBoundingSet=CAP_NET_RAW to the [Service]
section of my unit file, but it doesn't appear to be working.

What else do I need to do?

Thanks!

--
========================================================================
Ian Pilcher                                         arequipeno at gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

_______________________________________________
systemd-devel mailing list
systemd-devel at lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- 

Mantas Mikulėnas <grawity at gmail.com>
Sent from my phone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20170301/79c3fbe9/attachment-0001.html>


More information about the systemd-devel mailing list