On Wed, 18.03.15 19:56, Nusenu ([email protected]) wrote: > Hi, > > I'm currently preparing a systemd service file for tor [1]. > > We make use of CapabilityBoundingSet and first we had it set to: > > CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE > > but after noticing that reloads fail I added CAP_KILL for reload to > work *via* the systemctl command. > > CAP_KILL is not required if you reload the process manually (kill -HUP > $PID) without using systemctl. > > That tells me that the ExecReload command (kill) is also restricted by > CapabilityBoundingSet. Is this expected and does that imply that every > service requires CAP_KILL for proper reloads with systemctl? > Is it possible to specify distinct CapabilityBoundingSets for the > service (ExecStart) and the reload (ExecReload)?
Simply set PermissionsStartOnly=yes in your unit file. If so, the permission-related settings (includeing CapabilityBoundingSet=) will only be applied to ExecStart=, not the ExecReload= or the other lines. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
