CapabilityBoundingSet is the exact opposite of what you need, then. It's the *bounding set*, it limits capabilities.
With recent kernels, you'll probably want AmbientCapabilities= as the simplest option. (Can't remember when that was introduced though.) With older kernels you'll have to use the older Capabilities= setting *and* set file capabilities (setcap) on the executable itself. (Well, depending on what file caps you set you might not even need any systemd settings at all... See e.g. "getcap /sbin/ping" as a fully standalone example, iirc it uses "cap_foo=eip" for this.) On Wed, Mar 1, 2017, 00:40 Ian Pilcher <arequip...@gmail.com> wrote: Does anyone know of a "howto" or similar that lists the steps that I need to take to run a service as a non-root user (nobody) with CAP_NET_RAW? I've tried adding CapabilityBoundingSet=CAP_NET_RAW to the [Service] section of my unit file, but it doesn't appear to be working. What else do I need to do? Thanks! -- ======================================================================== Ian Pilcher arequip...@gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ======================================================================== _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- Mantas Mikulėnas <graw...@gmail.com> Sent from my phone
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
