systemd service file and CapabilitiesBoundingSet

Question

I am trying to reduce the root user capabilities by using the CapabilityBoundingSet option in my service file. Anyway, it seems I cannot prevent root from writing a file.

For example, with this service file:

$ cat test.service
[Unit]
Description=Test
After=basic.target

[Service]
ExecStart=/bin/sh -c "echo 172 > /target"
CapabilityBoundingSet=CAP_DAC_READ_SEARCH

so, if I have this original file:

$ cat /target
I am the original file
$ systemctl start test.service
$ cat /target
172
$ whoami
root

My kernel version is 3.1.10.

I have also tried with an empty set, or other capabilities, but is not working.. what could be wrong?

Answer 1

My problem was simple: the file I was trying to modify is owned by root, and this is why I am able to perform the change. If I change the owner, then I am no more allowed to modify it.