-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
I'm currently preparing a systemd service file for tor [1]. We make use of CapabilityBoundingSet and first we had it set to: CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE but after noticing that reloads fail I added CAP_KILL for reload to work *via* the systemctl command. CAP_KILL is not required if you reload the process manually (kill -HUP $PID) without using systemctl. That tells me that the ExecReload command (kill) is also restricted by CapabilityBoundingSet. Is this expected and does that imply that every service requires CAP_KILL for proper reloads with systemctl? Is it possible to specify distinct CapabilityBoundingSets for the service (ExecStart) and the reload (ExecReload)? thanks, Nusenu I'm testing on debian jessie (using systemd 215). [1] https://github.com/nusenu/tor-multi-instance-initscripts/blob/master/debian/tor.service https://bugs.torproject.org/14995 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVCdhuAAoJEFv7XvVCELh06YoQAKAlh6ChGYm2ZIJU0keuCZ9c 24yqBXjmS9w6Of40u5sySu1MDo+UcjqEM/h7WxxDOlJsRRnKf8I3VOHpoOWaqfpC 36/AynnL5IO5lmaAmrrq6IfQ1h0Zrbns8HsOnHPcubg7v2O7WhaWDkZtHsjweG4Z EcThzJUaoFRyMWThoCecG+ASrAnIMr6ArNP2bJ8wuQuxqnKetfqIdvJtGx3P2OLA TbZ1AqmPEAFoHq3yQIRZyfW4Qu/9YHxmXm9se0k0lCnHyPf1RLrWUtqzvGDMSY+M fAMsi8hgz10wM4XB1UoSJpYki/Bci8pMT4HBl/g200ss/qmBUNEyhCC+2tWpoBJx D6VYSbsBUdzVJDKUQHYn86/Q+Y2ZbzlYJdENJr/O5RgT+5UrgqdJiAP4PY/MZEsi RzieVlOdMUW1p9y0kb6UqzNtvNl8ke63UAxn4teaHXNMOVbqoF1J3/Nx3kgwsFRl lyRixX+Tqqajx3ZeMPxodXFPeRTJAH4Jm7CQ6jHROYOdCb86RnXznYaWfPGh4jcU oxx3nTqz82jSPchCLMx2wrzf0cgVN8qa5XWyZR+hJ5wK8AhgEZZ1F+w0EyqvAcbW 8RXzkLWEwEBGhONYi4brVEH8jxX9KkQisltPIz558lRQJcj7ad6pHrubu45nFYoM +aNJen86BnUQsW7gbkMq =bKlR -----END PGP SIGNATURE----- _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
