On Tue, Sep 18, 2018 at 8:28 PM Manuel Reimer <Manuel.Spam@xxxxxxxxxxxxxx> wrote:
Hello,
can someone please give a short hint or link to easy to understand
information, so I can find the difference between the "Capability"
settings in systemd.exec?
They're opposites. AmbientCapabilities= will *grant* the listed capabilities automatically, while CapabilityBoundingSet= will *limit* what capabilities the process may receive from any sources (even limiting suid).
I have two situations:
What will I use if I have a "User=" configured, but I want to give one
or two additional capabilities to the launched daemon?
Is it also possible to add additional capabilities to daemons which
switch user (setuid) in their own code?
Programs which start as root (whether normally or via suid) already have all possible capabilities (unless limited by the bounding set), so they may use libcap / libcap-ng to control which capabilities to retain before calling setuid(). See for example <https://stackoverflow.com/a/13186076/49849>.
Programs which start as regular user must have capabilities granted externally, either inherited from parent via ambient capabilities (e.g. the systemd service option you just found), or assigned via file capabilities (a common example is /usr/bin/ping being granted cap_net_raw with `setcap`).
I think the same answer applies to both.
Mantas Mikulėnas
_______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
