Control: tags -1 wontfix Control: summary -1 CapabilityBoundingSet prevents "Unprivileged mode", needs override
On Fri, May 13, 2016 at 09:01:20AM -0400, Simon Deziel wrote: Hi, > Hi Jim, > > On 2016-05-13 08:19 AM, BARBER, Jim wrote: > > I tried Simon Deziel's technique first. > > I ran: systemctl edit openvpn@.service > > It opened a blank editor and I added the following lines: > > > > [Service] > > CapabilityBoundingSet= > > I'm sorry to have induce you in error. Apparently you need to set it > like that to properly under any previous effect: > > [Service] > CapabilityBoundingSet=~ > > This is explained here [1]: > > > If set to "~" (without any further argument), the bounding set is > > reset to the full set of available capabilities, also undoing any > > previous settings. So, as far as I understand this bug the systemd CapabilityBoundingSet prevents "sudo" from working I'm marking this as "wontfix" since you can override it locally if necessary, and the default protection with the capabilities is more important Bernhard
