Web lists-archives.com

Re: thoughts about freeradius package (especially dhcp)




On Mon, 2017-09-04 at 09:42 -0700, Russ Allbery wrote:
> kjonca@xxxxxxxxxxxxxx (Kamil Jońca) writes:
> 
> > Hm. I tried to add
> > AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
> > and takes off capabilities from file but without success (ie. service
> > does not starts)
> > Shoudl I do something else?
> 
> Does it produce any useful error messages?  Maybe this doesn't work the
> way that I thought it did.  The active capabilities are the effective
> ones, but ambient becomes effective after execve, so I would have expected
> them to be in place for the process once systemd execs it.

Ambient capabilities were introduced in Linux 4.3.  I don't know what
systemd does on older kernel versions, but there is no good fallback.

Ben.

-- 
Ben Hutchings
Knowledge is power.  France is bacon.

Attachment: signature.asc
Description: This is a digitally signed message part