George Shuklin
Reputation: 7907
Running nobody (or dynamic user) with CAP_NET_RAW in systemd
I want to run service with cap_net_raw capabilities but with no any interaction with filesystem and/or other processes. My program will use raw sockets and normal sockets (for API), stdout/err for logging and that's all.
I want to write systemd.service file to do this, but I couldn't produce a proper combination for DynamicUser, User and CapabilityBoundingSet.
My (non-working) unit looks like this:
[Unit]
Description=my daemon (%I)
ConditionFileNotEmpty=/etc/daemon/%i.conf
Wants=network-online.target
BindsTo=daemon.target
[Service]
Type=simple
WorkingDirectory=/etc/daemon
EnvironmentFile=/etc/daemon/%i.conf
ExecStart=/usr/bin/daemon ${OPTIONS}
CapabilityBoundingSet=CAP_NET_RAW
ProtectSystem=true
ProtectHome=true
RestartSec=5s
Restart=on-failure
User=daemon-%i
Group=nobody
DynamicUser=true
[Install]
WantedBy=daemon.target
How can I configure dynamic user 'nobody' together with CAP_NET_RAW?
Upvotes: 3
Views: 1986
Answers (1)
musicinmybrain
Reputation: 641
You also need:
AmbientCapabilities=CAP_NET_RAW
See this question about the difference between AmbientCapabilities and CapabilityBoundingSet, as well as the documentation.
Upvotes: 4
Related Questions
- setuid(0) with CAP_SETUID
- CAP_NET_ADMIN equivalent for *BSD
- Starting a systemd service with privileges
- How to execute a process with CAP_SYS_RESOURCE
- Open raw socket in Linux without setcap cap_net_raw
- Why does CAP_NET_RAW not work with SO_BINDTODEVICE?
- How to restrict receiving a generic netlink multicast to the root user?
- systemd service file and CapabilitiesBoundingSet
- regular user can't read /proc/net/dev
- blocking access to network services to a user in linux