-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >> I'm currently preparing a systemd service file for tor [1]. >> >> We make use of CapabilityBoundingSet and first we had it set to: >> >> CapabilityBoundingSet = CAP_SETUID CAP_SETGID >> CAP_NET_BIND_SERVICE >> >> but after noticing that reloads fail I added CAP_KILL for reload >> to work *via* the systemctl command. >> >> CAP_KILL is not required if you reload the process manually (kill >> -HUP $PID) without using systemctl. >> >> That tells me that the ExecReload command (kill) is also >> restricted by CapabilityBoundingSet. Is this expected and does >> that imply that every service requires CAP_KILL for proper >> reloads with systemctl? Is it possible to specify distinct >> CapabilityBoundingSets for the service (ExecStart) and the reload >> (ExecReload)? > > Simply set PermissionsStartOnly=yes in your unit file. If so, the > permission-related settings (includeing CapabilityBoundingSet=) > will only be applied to ExecStart=, not the ExecReload= or the > other lines.
Thanks for this info! -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVQTIKAAoJEFv7XvVCELh0t70P/ihGRH0LPJGw/rrUw6Qp+t0A tXNJU1K2Kur6xXuezGgsNXMKgnFnU1LRMrrvoD3hmjnicWlng+W5iYuHu3s8oWVo asM+zXgyNFBtGVSEo2VFG2PrImEhNeooMEIGmTWVrBxqF2YdvaldZxipiCxH6qz7 xfgfUdbSojCBvT6DMYeIOgqOkilhZEucTt8vWBxtq/XwswzuLZfthB0rqZig0vLg DHVFllBu2g1r+yK3aXBBcP0HaxOLeoX/3CKQ867CyVvo6nTJccJPYhYHpRwrkvxO 8wysFdpEkovtqQx3mcqnareCCPLfUUatw3kBptNVae/RVktZbtk3Fio7NnBHkJal AcIkFNbj5qy5/YkMhORtXSOtUiysvhDKvvAU/+HrkQ1f1t7c4ULHHKSSBoucax90 PVS0bdFQ6F7rBrFG69niGG1KzOjcsYpFREj7lpn04dcWuOLe61ZrVcLgqN/erbSx I5+wSmw0J2IorQ8xOu5PnctjlKv0WKNj58axb6Cs7FoDE941GNxuJeQTGcOQWO0v 5YDvCW0e4naXeO2lJ0vgFM9T3ZSK/qAAvNYPX6UFAE/uOxnXzY+cM1nl3y1lRAhu HaSLLKvMyIOFYRurGNfNa0ynoMR1P4QHzO08+ierzV/DxTMmcMBuR386Qtfjl+eO Ey4Sl/8T/xVPK5bTFS+U =t2tA -----END PGP SIGNATURE----- _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
