Hi, Thanks for the replies.
On 05/06/2015 11:53, Eelco Dolstra wrote: > Hi, > > On 05/06/15 00:37, Oliver Charles wrote: > >> I believe the User option in systemd unit configuration should do this. > > I think you'll also need: > > systemd.services.my-unit.serviceConfig.CapabilityBoundingSet = > "CAP_NET_BIND_SERVICE"; Would you mind expanding on how this would work? I've had a bit of a play and it seems the two options are to set User=root and have the CapabilityBoundingSet cut down the privileges, or set User=darcsden but then I need a binary that I've run setcap on somehow, because the binary's capabilities are an upper bound. Am I missing something? > Alternatively, socket activation combined with the User setting should work. Yeah, that does sound like the nicest solution, I'll look at changing the code to support that. Cheers, Ganesh _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
