Lennart Poettering on Nostr: The idea is that by default processes run by root have all capabilities and those run ...
The idea is that by default processes run by root have all capabilities and those run by other users have none. But if you tweak your process' capability you can also have processes owned by UID 0 that lack permissions to do various things, or have processes owned by an UID other than 0 which do have more elevated permissions, akin to root's.
Process capabilities can be controlled via the CapabilityBoundingSet= and AmbientCapabilities= knobs in systemd service files, …
Published at
2024-12-11 09:17:51Event JSON
{
"id": "5d5d98afb1a53f94e28dfe1b8cb4424f2c6a45ec9deb179a514b8f755cbdd606",
"pubkey": "1d95c32d9a9d95a54f98eb2eaa156f3d3a71dc49eca2c960b2b89962758f1cc0",
"created_at": 1733908671,
"kind": 1,
"tags": [
[
"e",
"8a75d480be1d08d471e0739587303d7da40150adc442e692532fa9e9904ccfc0",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://mastodon.social/users/pid_eins/statuses/113633438673431866",
"activitypub"
]
],
"content": "The idea is that by default processes run by root have all capabilities and those run by other users have none. But if you tweak your process' capability you can also have processes owned by UID 0 that lack permissions to do various things, or have processes owned by an UID other than 0 which do have more elevated permissions, akin to root's. \n\nProcess capabilities can be controlled via the CapabilityBoundingSet= and AmbientCapabilities= knobs in systemd service files, …",
"sig": "373a875418ca640ae6cb649e7899c55ba58795dc46a050f45b6ad848c4e6d7ee9e4532f40a8ac6940eafa35001a6cbf2829b1ee989d3863d18486f8d8804fc36"
}
