24

I am trying to create a systemd service for a web server process that has to bind to port 80 and 443. I found some examples setting AmbientCapabilities=CAP_NET_BIND_SERVICE and setting both AmbientCapabilities and CapabilityBoundingSet. From the doc, it is not clear. Systemd doc: link. Linux man doc: link

Should I set both or just AmbientCapabilities?

Improve this question

1 Answer 1

Reset to default
21

They're complete opposites:

AmbientCapabilities grants capabilities that the process normally wouldn't have started with.

CapabilityBoundingSet limits capabilities the process is allowed to obtain. It doesn't grant any.

For your task, it is enough to set AmbientCapabilities to grant the privileges – the bounding set already allows everything by default, so there's no need to change the it.

Instead, the latter is meant to be a security hardening feature. Even if the service literally runs as root (uid 0) – or calls a setuid-root program like 'su' or 'sudo' – it can never gain any privileges that aren't in its bounding set.

But you can (and perhaps should) set both if you're sure your service won't be directly running anything that needs higher privileges.

Improve this answer
1
  • So, to answer the original question, we should include AmbientCapabilities=CAP_NET_BIND_SERVICE in the service file, and run it as a non-privileged user, right?
    – stolenmoment
    Commented Nov 2, 2021 at 22:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .