Running nobody (or dynamic user) with CAP_NET_RAW in systemd

Question

I want to run service with cap_net_raw capabilities but with no any interaction with filesystem and/or other processes. My program will use raw sockets and normal sockets (for API), stdout/err for logging and that's all.

I want to write systemd.service file to do this, but I couldn't produce a proper combination for DynamicUser, User and CapabilityBoundingSet.

My (non-working) unit looks like this:

[Unit]
Description=my daemon (%I)
ConditionFileNotEmpty=/etc/daemon/%i.conf
Wants=network-online.target
BindsTo=daemon.target

[Service]
Type=simple
WorkingDirectory=/etc/daemon
EnvironmentFile=/etc/daemon/%i.conf
ExecStart=/usr/bin/daemon ${OPTIONS}
CapabilityBoundingSet=CAP_NET_RAW
ProtectSystem=true
ProtectHome=true
RestartSec=5s
Restart=on-failure
User=daemon-%i
Group=nobody
DynamicUser=true
[Install]
WantedBy=daemon.target

How can I configure dynamic user 'nobody' together with CAP_NET_RAW?

score 2 · Accepted Answer · answered Nov 10 '20 at 21:55

2

You also need:

AmbientCapabilities=CAP_NET_RAW

See this question about the difference between AmbientCapabilities and CapabilityBoundingSet, as well as the documentation.

answered Nov 10 '20 at 21:55

musicinmybrain

621
4
8

Running nobody (or dynamic user) with CAP_NET_RAW in systemd

1 Answers1