Discussion:
AmbientCapabilities working examples?
(too old to reply)
Kamil Jońca
2017-09-04 18:35:36 UTC
Permalink
Raw Message
I try to configure my freeradius service with capabilities
(https://lists.debian.org/debian-devel/2017/09/msg00062.html)

i can do with setting capabilities on freeradius binary.
But I headr about AmbientCapabilities directive and I tried to use
it. Without success - freeradius dhcp server cannot bind to port 68.

below my unit file:
--8<---------------cut here---------------start------------->8---
[Unit]
Description=FreeRADIUS multi-protocol policy server
After=network.target
Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/

[Service]
Type=forking
#Type=simple
PIDFile=/run/freeradius/freeradius.pid
EnvironmentFile=-/etc/default/freeradius
#ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cxm -lstdout
User=freerad
AmbientCapabilities=CAP_NET_ADMIN
AmbientCapabilities=CAP_NET_RAW
AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=/usr/sbin/freeradius $FREERADIUS_OPTIONS
#ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
--8<---------------cut here---------------end--------------->8---

I tried to use one AmbientCapabilities directive with all capabilities
in space separates list but also without success.

What am I missing?
KJ
--
http://wolnelektury.pl/wesprzyj/teraz/
I must Create a System, or be enslav'd by another Man's;
I will not Reason and Compare; my business is to Create.
-- William Blake, "Jerusalem"
Mantas Mikulėnas
2017-09-04 19:46:41 UTC
Permalink
Raw Message
Post by Kamil Jońca
I try to configure my freeradius service with capabilities
(https://lists.debian.org/debian-devel/2017/09/msg00062.html)
i can do with setting capabilities on freeradius binary.
But I headr about AmbientCapabilities directive and I tried to use
it. Without success - freeradius dhcp server cannot bind to port 68.
Make sure to have removed all file capabilities from /usr/sbin/freeradius,
as their presence disables ambient capabilities.
Post by Kamil Jońca
--
Mantas Mikulėnas <***@gmail.com>
Sent from my phone
Kamil Jońca
2017-09-05 03:09:13 UTC
Permalink
Raw Message
Post by Kamil Jońca
I try to configure my freeradius service with capabilities
(https://lists.debian.org/debian-devel/2017/09/msg00062.html)
i can do with setting capabilities on freeradius binary.
But I headr about AmbientCapabilities directive and I tried to use
it. Without success - freeradius dhcp server  cannot bind to port 68.
Make sure to have removed all file capabilities from /usr/sbin/freeradius, as their presence disables ambient capabilities.
Ahh.
I "cleared" capabilities by:
setcap "" /file/
instead of
setcap -r /file/

thanks.

KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
Young men think old men are fools; but old men know young men are fools.
-- George Chapman
Lennart Poettering
2017-09-05 07:12:23 UTC
Permalink
Raw Message
Post by Kamil Jońca
I try to configure my freeradius service with capabilities
(https://lists.debian.org/debian-devel/2017/09/msg00062.html)
i can do with setting capabilities on freeradius binary.
But I headr about AmbientCapabilities directive and I tried to use
it. Without success - freeradius dhcp server cannot bind to port 68.
btw, on current git support for ambient caps is considerably extended,
and used by all relevant daemons systemd ships itself.

Lennart
--
Lennart Poettering, Red Hat
Loading...