On Wed, 01.03.17 05:11, Mantas Mikulėnas ([email protected]) wrote: > CapabilityBoundingSet is the exact opposite of what you need, then. It's > the *bounding set*, it limits capabilities. > > With recent kernels, you'll probably want AmbientCapabilities= as the > simplest option. (Can't remember when that was introduced though.) > > With older kernels you'll have to use the older Capabilities= setting *and* > set file capabilities (setcap) on the executable itself.
We removed support for Capabilities= in current systemd versions. The concept really was pretty much unusable the way it was. In current systemd versions there's just CapabilityBoundingSet= to take away caps forever, and AmbientCapabilities= to pass additional caps, but the latter requires a somewhat recent kernel as mentioned. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
