On Fri, 16 Aug 2019, Jordan Glover wrote: > "systemd --user" service? Trying to do so will fail with: > "Failed to apply ambient capabilities (before UID change): Operation not permitted" > > I think it's crucial to clear that point to avoid confusion in this discussion > where people are talking about different things. > > On the other hand running "systemd --system" service with: > > User=nobody > AmbientCapabilities=CAP_NET_ADMIN > > is perfectly legit and clears some security concerns as only privileged user > can start such service. While we are at it, can we please stop looking at this from a systemd only perspective. There is a world outside of systemd. Thanks, tglx
