Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   systemd.exec    ( 5 )

конфигурация среды выполнения (Execution environment configuration)

CAPABILITIES

These options are only available for system services and are not
       supported for services running in per-user instances of the
       service manager.


       CapabilityBoundingSet=
           Controls which capabilities to include in the capability
           bounding set for the executed process. See capabilities(7)
           for details. Takes a whitespace-separated list of capability
           names, e.g.  CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE.
           Capabilities listed will be included in the bounding set, all
           others are removed. If the list of capabilities is prefixed
           with "~", all but the listed capabilities will be included,
           the effect of the assignment inverted. Note that this option
           also affects the respective capabilities in the effective,
           permitted and inheritable capability sets. If this option is
           not used, the capability bounding set is not modified on
           process execution, hence no limits on the capabilities of the
           process are enforced. This option may appear more than once,
           in which case the bounding sets are merged by OR, or by AND
           if the lines are prefixed with "~" (see below). If the empty
           string is assigned to this option, the bounding set is reset
           to the empty capability set, and all prior settings have no
           effect. If set to "~" (without any further argument), the
           bounding set is reset to the full set of available
           capabilities, also undoing any previous settings. This does
           not affect commands prefixed with "+".


           Use systemd-analyze(1)'s capability command to retrieve a
           list of capabilities defined on the local system.


           Example: if a unit has the following,


               CapabilityBoundingSet=CAP_A CAP_B
               CapabilityBoundingSet=CAP_B CAP_C


           then CAP_A, CAP_B, and CAP_C are set. If the second line is
           prefixed with "~", e.g.,


               CapabilityBoundingSet=CAP_A CAP_B
               CapabilityBoundingSet=~CAP_B CAP_C


           then, only CAP_A is set.


       AmbientCapabilities=
           Controls which capabilities to include in the ambient
           capability set for the executed process. Takes a
           whitespace-separated list of capability names, e.g.
           CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE. This option
           may appear more than once in which case the ambient
           capability sets are merged (see the above examples in
           CapabilityBoundingSet=). If the list of capabilities is
           prefixed with "~", all but the listed capabilities will be
           included, the effect of the assignment inverted. If the empty
           string is assigned to this option, the ambient capability set
           is reset to the empty capability set, and all prior settings
           have no effect. If set to "~" (without any further argument),
           the ambient capability set is reset to the full set of
           available capabilities, also undoing any previous settings.
           Note that adding capabilities to ambient capability set adds
           them to the process's inherited capability set.


           Ambient capability sets are useful if you want to execute a
           process as a non-privileged user but still want to give it
           some capabilities. Note that in this case option keep-caps is
           automatically added to SecureBits= to retain the capabilities
           over the user change.  AmbientCapabilities= does not affect
           commands prefixed with "+".