What is the difference between AmbientCapabilities and CapabilityBoundingSet?
They're complete opposites:
AmbientCapabilities
grants capabilities that the process normally wouldn't have started with.
CapabilityBoundingSet
limits capabilities the process is allowed to obtain. It doesn't grant any.
For your task, it is enough to set AmbientCapabilities to grant the privileges – the bounding set already allows everything by default, so there's no need to change the it.
Instead, the latter is meant to be a security hardening feature. Even if the service literally runs as root (uid 0) – or calls a setuid-root program like 'su' or 'sudo' – it can never gain any privileges that aren't in its bounding set.
But you can (and perhaps should) set both if you're sure your service won't be directly running anything that needs higher privileges.
Related videos on Youtube
![AIcfpNaWbMmItYvxbWwED](https://i.stack.imgur.com/5on7r.jpg?s=256&g=1)
AIcfpNaWbMmItYvxbWwED
Updated on September 18, 2022Comments
-
AIcfpNaWbMmItYvxbWwED almost 2 years
I am trying to create a systemd service for a web server process that has to bind to port 80 and 443. I found some examples setting
AmbientCapabilities=CAP_NET_BIND_SERVICE
and setting bothAmbientCapabilities
andCapabilityBoundingSet
. From the doc, it is not clear. Systemd doc: link. Linux man doc: linkShould I set both or just AmbientCapabilities?