Cristiano
Reputation: 876
systemd service file and CapabilitiesBoundingSet
I am trying to reduce the root user capabilities by using the CapabilityBoundingSet option in my service file. Anyway, it seems I cannot prevent root from writing a file.
For example, with this service file:
$ cat test.service
[Unit]
Description=Test
After=basic.target
[Service]
ExecStart=/bin/sh -c "echo 172 > /target"
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
so, if I have this original file:
$ cat /target
I am the original file
$ systemctl start test.service
$ cat /target
172
$ whoami
root
My kernel version is 3.1.10.
I have also tried with an empty set, or other capabilities, but is not working.. what could be wrong?
Upvotes: 2
Views: 3144
Answers (1)
Cristiano
Reputation: 876
My problem was simple: the file I was trying to modify is owned by root, and this is why I am able to perform the change. If I change the owner, then I am no more allowed to modify it.
Upvotes: 1
Related Questions
- Why can't you drop a capability from the bounding set without CAP_SETPCAP?
- Permission denied for .NET core service in Linux
- Using PolicyKit to allow non-root users to start and stop a service
- Salt enabling systemctl service using a custom service file
- systemd service file Failed to execute command: Permission denied
- Systemd customization
- Starting a systemd service with privileges
- Set Service Access Rules
- Get systemd's default limits
- systemd: How to use ExecStopPre in service files