[systemd-devel] Difference between CapabilityBoundingSet and AmbientCapabilities?
Mantas Mikulėnas
grawity at gmail.com
Tue Sep 18 18:06:27 UTC 2018
On Tue, Sep 18, 2018 at 8:28 PM Manuel Reimer <Manuel.Spam at nurfuerspam.de>
wrote:
> Hello,
>
> can someone please give a short hint or link to easy to understand
> information, so I can find the difference between the "Capability"
> settings in systemd.exec?
>
>
They're opposites. AmbientCapabilities= will *grant* the listed
capabilities automatically, while CapabilityBoundingSet= will *limit* what
capabilities the process may receive from any sources (even limiting suid).
> I have two situations:
>
> What will I use if I have a "User=" configured, but I want to give one
> or two additional capabilities to the launched daemon?
>
> Is it also possible to add additional capabilities to daemons which
> switch user (setuid) in their own code?
>
Programs which start as root (whether normally or via suid) already have
all possible capabilities (unless limited by the bounding set), so they may
use libcap / libcap-ng to control which capabilities to retain before
calling setuid(). See for example <
https://stackoverflow.com/a/13186076/49849>.
Programs which start as regular user must have capabilities granted
externally, either inherited from parent via ambient capabilities (e.g. the
systemd service option you just found), or assigned via file capabilities
(a common example is /usr/bin/ping being granted cap_net_raw with `setcap`).
I think the same answer applies to both.
--
Mantas Mikulėnas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180918/69967299/attachment.html>
More information about the systemd-devel
mailing list