Bug 1409586 - Cannot modify CapabilityBoundingSet in drop-in file
Summary: Cannot modify CapabilityBoundingSet in drop-in file
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: systemd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukáš Nykrýn
QA Contact: Branislav Blaškovič
URL:
Whiteboard:
: 1381057 (view as bug list)
Depends On:
Blocks: 1393867 1400961 74systemd
TreeView+ depends on / blocked
 
Reported: 2017-01-02 14:39 UTC by Laurent Bigonville
Modified: 2017-08-01 09:12 UTC (History)
5 users (show)

Fixed In Version: systemd-219-31.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:12:22 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2297 normal SHIPPED_LIVE systemd bug fix and enhancement update 2017-08-01 12:40:16 UTC

Description Laurent Bigonville 2017-01-02 14:39:22 UTC
Description of problem:
Hi,

I'm trying to override the CapabilityBoundingSet in a drop-in file but that doesn't seems to work. The upstream .service file is cleaning the set completely (CapabilityBoundingSet=) and in the drop-in file I'm trying to grant CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN

Version-Release number of selected component (if applicable):
systemd-219-30.el7_3.6.x86_64

# systemctl cat collectd.service 
# /usr/lib/systemd/system/collectd.service
[Unit]
Description=Collectd statistics daemon
Documentation=man:collectd(1) man:collectd.conf(5)
After=local-fs.target network-online.target
Requires=local-fs.target network-online.target

[Service]
ExecStart=/usr/sbin/collectd
EnvironmentFile=-/etc/sysconfig/collectd
EnvironmentFile=-/etc/default/collectd
ProtectSystem=full
ProtectHome=true

# A few plugins won't work without some privileges, which you'll have to
# specify using the CapabilityBoundingSet directive below.
#
# Here's a (incomplete) list of the plugins known capability requirements:
#   ceph            CAP_DAC_OVERRIDE
#   dns             CAP_NET_RAW
#   exec            CAP_SETUID CAP_SETGID
#   iptables        CAP_NET_ADMIN
#   ping            CAP_NET_RAW
#   turbostat       CAP_SYS_RAWIO
#
# Example, if you use the iptables plugin alongside the dns or ping plugin:
#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
#
# By default, drop all capabilities:
CapabilityBoundingSet=

NoNewPrivileges=true

# Tell systemd it will receive a notification from collectd over it's control
# socket once the daemon is ready. See systemd.service(5) for more details.
Type=notify

# Restart the collectd daemon when it fails.
Restart=on-failure

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/collectd.service.d/capabilities.conf
[Service]

CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN

==========

# systemctl show -p CapabilityBoundingSet collectd.service 
CapabilityBoundingSet=0

==========


Somebody confirmed on IRC that it was working on Arch with version 232

Comment 1 Lukáš Nykrýn 2017-01-02 15:08:01 UTC
Looks like https://github.com/systemd/systemd/issues/1221

We should look to these upstream patches and backport them if necessary.

cf677fe core/execute: add the magic character '!' to allow privileged execution (#3493)
661b37b core: fix capability bounding set parsing
b9d345b core: fix CapabilityBoundingSet merging

Comment 2 Lukáš Nykrýn 2017-01-02 15:08:58 UTC
> cf677fe core/execute: add the magic character '!' to allow privileged
> execution (#3493)

Probably not this one.

Comment 3 Christophe Vanlancker 2017-01-03 09:19:06 UTC
Same problem with:

# /etc/systemd/system/collectd.service.d/capabilities.conf
[Service]
CapabilityBoundingSet=
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN

Comment 4 Lukáš Nykrýn 2017-01-03 11:42:02 UTC
https://github.com/lnykryn/systemd-rhel/pull/72

Comment 5 Lukáš Nykrýn 2017-01-03 16:34:36 UTC
*** Bug 1381057 has been marked as a duplicate of this bug. ***

Comment 9 errata-xmlrpc 2017-08-01 09:12:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2297


Note You need to log in before you can comment on or make changes to this bug.