On Di, 2017-03-07 at 16:54 +0100, Stefan Seyfried wrote:
On 07.03.2017 01:45, Stefan Bruens wrote:
Why are the systemd haters always claiming stuff without once reading the man pages?
Why are systemd lovers always claiming stuff in the man pages actually works when it doesn't?
man systemd.unit: EXAMPLES Alternatively, the administrator could create a drop-in file /etc/systemd/system/httpd.service.d/local.conf with the following contents: [...]
Been there, done that.
server:~ # cat /etc/systemd/system/collectd.service.d/10-caps.conf [Service] CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_CHOWN
Does not work. Once systemd comes to the point of reading 10- caps.conf, it has alread dropped all caps and cannot regain them.
Once again, man systemd.exec: CapabilityBoundingSet= Controls which capabilities to include in the capability bounding set for the executed process. See capabilities(7) for details. Takes a whitespace-separated list of capability names, e.g. CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE. Capabilities listed will be included in the bounding set, all others are removed. If the list of capabilities is prefixed with "~", all but the listed capabilities will be included, the effect of the assignment inverted. [...] This option may appear more than once, in which case the bounding sets are merged. If the empty string is assigned to this option, the bounding set is reset to the empty capability set, and all prior settings have no effect. * If set to "~" (without any further argument), the bounding set is reset to the full set of available capabilities,* also undoing any previous settings. This does not affect commands prefixed with "+". CapabilityBoundingSet=~ CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_CHOWN Regards, StefanN�����r��y隊Z)z{.���r�+�맲��r��z�^�ˬz��N�(�֜��^� ޭ隊Z)z{.���r�+��0�����Ǩ�