Package: monit Version: 1:5.33.0-2 Starting with 1:5.33.0-2, the monit systemd unit file got some hardening. Beside other things, the CapabilityBoundingSet got restricted to: CAP_DAC_READ_SEARCH CAP_NET_RAW CAP_SYS_PTRACE
I'm executing a "check program" script which checks the state of some wireguard tunnels. After upgrading monit, these checks ceased to work and returned a 'permission denied' error. The issue was traced back to the strict CapabilityBoundingSet. Assigning the `CAP_NET_ADMIN` capability to monit resolved the issue. This change was applied via a systemd override: | # in etc/systemd/system/monit.service.d/override.conf | [Service] | CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW CAP_SYS_PTRACE CAP_NET_ADMIN Debugging this issue was challenging. It seems the new hardening measures could be too restrictive for certain use cases. I suggest reconsidering the default CapabilityBoundingSet settings, or perhaps implementing a more granular system where permissions can be adjusted based on different aspects of the service (e.g., less permissions for the monit API and outgoing HTTP calls, and more permissions for "program check"). This problem can be reproduced by this check: | check program link_wg0_home path "/usr/bin/wg show wg0" | if status != 0 | for 2 cycles | then alert Thank you!
