Hi,
first of all I'd like to mark that I'm not sure if I'm writing in the
right place.
I have a problem with running a systemd service in "capability-only
environment": I want to run a process with some caps (cap_sys_admin
cap_dac_override cap_mac_override) as a regular user (UID != 0).
My service config file looks something like this:
User=test
CapabilityBoundingSet=cap_sys_admin cap_dac_override cap_mac_override
Capabilities=cap_sys_admin,cap_dac_override,cap_mac_override=eip
SecureBits=keep-caps
Unfortunately, the process does not gain any permissive capabilities:
CapInh: 0000000100200002
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000000100200002
However, when I run the service as root (by removing "User=test") the
process does own required caps:
CapInh: 0000000100200002
CapPrm: 0000000100200002
CapEff: 0000000100200002
CapBnd: 0000000100200002
It looks like the "SecureBits=keep-caps" option, which should preserve
permissive caps after root drop according to [1], does not work. Am I
doing something wrong?
Any response would be very helpful.
Best Regards,
Michal Witanowski
[1] http://linux.die.net/man/7/capabilities
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
