[systemd-devel] Non-root service with CAP_NET_RAW

Lennart Poettering lennart at poettering.net
Wed Mar 1 11:28:16 UTC 2017

On Wed, 01.03.17 05:11, Mantas Mikul─Śnas (grawity at gmail.com) wrote:

> CapabilityBoundingSet is the exact opposite of what you need, then. It's
> the *bounding set*, it limits capabilities.
> With recent kernels, you'll probably want AmbientCapabilities= as the
> simplest option. (Can't remember when that was introduced though.)
> With older kernels you'll have to use the older Capabilities= setting *and*
> set file capabilities (setcap) on the executable itself.

We removed support for Capabilities= in current systemd versions. The
concept really was pretty much unusable the way it was. In current
systemd versions there's just CapabilityBoundingSet= to take away caps
forever, and AmbientCapabilities= to pass additional caps, but the
latter requires a somewhat recent kernel as mentioned.


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list