[systemd-devel] Non-root service with CAP_NET_RAW
lennart at poettering.net
Wed Mar 1 11:28:16 UTC 2017
On Wed, 01.03.17 05:11, Mantas Mikulėnas (grawity at gmail.com) wrote:
> CapabilityBoundingSet is the exact opposite of what you need, then. It's
> the *bounding set*, it limits capabilities.
> With recent kernels, you'll probably want AmbientCapabilities= as the
> simplest option. (Can't remember when that was introduced though.)
> With older kernels you'll have to use the older Capabilities= setting *and*
> set file capabilities (setcap) on the executable itself.
We removed support for Capabilities= in current systemd versions. The
concept really was pretty much unusable the way it was. In current
systemd versions there's just CapabilityBoundingSet= to take away caps
forever, and AmbientCapabilities= to pass additional caps, but the
latter requires a somewhat recent kernel as mentioned.
Lennart Poettering, Red Hat
More information about the systemd-devel