[email protected] (Kamil Jońca) writes: > Hm. I tried to add
> AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE > and takes off capabilities from file but without success (ie. service > does not starts) > Shoudl I do something else? Does it produce any useful error messages? Maybe this doesn't work the way that I thought it did. The active capabilities are the effective ones, but ambient becomes effective after execve, so I would have expected them to be in place for the process once systemd execs it. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
