Comment # 9
on bug 991901
from Christian Boltz
I'll hand over this bug to the systemd maintainers since I believe it should be
fixed in systemd ;-)
The short version is that lots of daemons (for example samba and apache)
request capability sys_admin because of the way they communicate with systemd
(sd_notifyf). Those daemons still work without granting this capability and can
even talk to systemd, so it would be nice if we wouldn't need to grant that
powerful capability to lots of daemons.
See comment #2 and #6 for more technical details.
The most relevant part of the discussion in #apparmor (from 2016-08-09) is
probably
<sarnold> oh right, _this_ bit is the sendbuf and recvbuf ...
<sarnold> cboltz: to be honest I'm surprised that these options require privs
:(
<cboltz> capabilities(7) lists the SO_SNDBUFFORCE flag in the NET_ADMIN
section
<sarnold>
https://github.com/systemd/systemd/blob/master/src/basic/socket-util.c#L836
[link updated, was originally #L754]
<sarnold> love it
<sarnold> they try the one that requires root privileges -first-
<sarnold> rather than the one that might succeed if the admin has configured
the system properly first