On Mon, 2017-09-04 at 09:42 -0700, Russ Allbery wrote: > kjonca@poczta.onet.pl (Kamil Jońca) writes: > > > Hm. I tried to add > > AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE > > and takes off capabilities from file but without success (ie. service > > does not starts) > > Shoudl I do something else? > > Does it produce any useful error messages? Maybe this doesn't work the > way that I thought it did. The active capabilities are the effective > ones, but ambient becomes effective after execve, so I would have expected > them to be in place for the process once systemd execs it. Ambient capabilities were introduced in Linux 4.3. I don't know what systemd does on older kernel versions, but there is no good fallback. Ben. -- Ben Hutchings Knowledge is power. France is bacon.
Attachment:
signature.asc
Description: This is a digitally signed message part