What is the difference between AmbientCapabilities and CapabilityBoundingSet?

systemd services webserver capabilities

5,551

They're complete opposites:

AmbientCapabilities grants capabilities that the process normally wouldn't have started with.

CapabilityBoundingSet limits capabilities the process is allowed to obtain. It doesn't grant any.

For your task, it is enough to set AmbientCapabilities to grant the privileges – the bounding set already allows everything by default, so there's no need to change the it.

Instead, the latter is meant to be a security hardening feature. Even if the service literally runs as root (uid 0) – or calls a setuid-root program like 'su' or 'sudo' – it can never gain any privileges that aren't in its bounding set.

But you can (and perhaps should) set both if you're sure your service won't be directly running anything that needs higher privileges.

5,551

Related videos on Youtube

Author by

AIcfpNaWbMmItYvxbWwED

Updated on September 18, 2022

Comments

AIcfpNaWbMmItYvxbWwED almost 2 years

I am trying to create a systemd service for a web server process that has to bind to port 80 and 443. I found some examples setting AmbientCapabilities=CAP_NET_BIND_SERVICE and setting both AmbientCapabilities and CapabilityBoundingSet. From the doc, it is not clear. Systemd doc: link. Linux man doc: link

Should I set both or just AmbientCapabilities?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?

How to troubleshoot crashes detected by Google Play Store for Flutter app

Cupertino DateTime picker interfering with scroll behaviour

Why does awk -F work for most letters, but not for the letter "t"?

Flutter change focus color and icon color but not works

How to print and connect to printer using flutter desktop via usb?

Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0

Flutter Dart - get localized country name from country code

navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage

Android Sdk manager not found- Flutter doctor error

Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)

How to change the color of ElevatedButton when entering text in TextField

Related

Failing to Start gunicorn.service using systemd

Failed to start systemd-resolved.service . systemd-resolved.service: Failed with result 'resources'. [1]: Failed to start Network Name Resolution

Systemd service script fails to write into a file

Trying to setup user systemd service: Loaded: not-found (Reason: No such file or directory)

I can't unmask a service on Kubuntu Wily 15.10

Configure xvfb for Vivid (15.04) as a service using systemd

systemctl status active: exited vs running

Slow boot time (Ubuntu 18.04) on SSD

What does /bin/bash -c mean in service unit?

How can I get the celery daemon to run on Ubuntu 16.04 using systemd?