Description of problem:
I'm trying to override the CapabilityBoundingSet in a drop-in file but that doesn't seems to work. The upstream .service file is cleaning the set completely (CapabilityBoundingSet=) and in the drop-in file I'm trying to grant CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
Version-Release number of selected component (if applicable):
# systemctl cat collectd.service
Description=Collectd statistics daemon
# A few plugins won't work without some privileges, which you'll have to
# specify using the CapabilityBoundingSet directive below.
# Here's a (incomplete) list of the plugins known capability requirements:
# ceph CAP_DAC_OVERRIDE
# dns CAP_NET_RAW
# exec CAP_SETUID CAP_SETGID
# iptables CAP_NET_ADMIN
# ping CAP_NET_RAW
# turbostat CAP_SYS_RAWIO
# Example, if you use the iptables plugin alongside the dns or ping plugin:
# By default, drop all capabilities:
# Tell systemd it will receive a notification from collectd over it's control
# socket once the daemon is ready. See systemd.service(5) for more details.
# Restart the collectd daemon when it fails.
# systemctl show -p CapabilityBoundingSet collectd.service
Somebody confirmed on IRC that it was working on Arch with version 232
Looks like https://github.com/systemd/systemd/issues/1221
We should look to these upstream patches and backport them if necessary.
cf677fe core/execute: add the magic character '!' to allow privileged execution (#3493)
661b37b core: fix capability bounding set parsing
b9d345b core: fix CapabilityBoundingSet merging
> cf677fe core/execute: add the magic character '!' to allow privileged
> execution (#3493)
Probably not this one.
Same problem with:
*** Bug 1381057 has been marked as a duplicate of this bug. ***
fix merged to upstream staging branch ->
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.