On Thu, 08.10.15 13:12, Andy Lutomirski ([email protected]) wrote: > For non-root services, getting Capabilities= and CapabilityBoundingSet= to > do anything useful is rather tricky. Would it make sense to add > AmbientCapabilities= to set ambient (and, implicitly, inheritable) > capabilities, which will be available in Linux 4.3? > > Alternatively, there could be a boolean option to change the meaning of > Capabilities so that it uses ambient capabilities instead of whatever it > currently does.
I am pretty sure we should deprecate/deemphesize Capabilities=, as it uses the weird POSIX syntax that nobody groks and is also useless. We kind of already suggest this in the man pages, but maybe should word this a bit stronger. I think CapabilityBoundingSet= is OK the way it is. Happy to take a patch that adds AmbientCapabilities= using the same parser as CapabilityBoundingSet=. Github PRs preferred. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
