I am trying to create a systemd service for a web server process that has to bind to port 80 and 443. I found some examples setting AmbientCapabilities=CAP_NET_BIND_SERVICE
and setting both AmbientCapabilities
and CapabilityBoundingSet
. From the doc, it is not clear. Systemd doc: link. Linux man doc: link
Should I set both or just AmbientCapabilities?
Best Answer
They're complete opposites:
AmbientCapabilities
grants capabilities that the process normally wouldn't have started with.CapabilityBoundingSet
limits capabilities the process is allowed to obtain. It doesn't grant any.For your task, it is enough to set AmbientCapabilities to grant the privileges – the bounding set already allows everything by default, so there's no need to change the it.
Instead, the latter is meant to be a security hardening feature. Even if the service literally runs as root (uid 0) – or calls a setuid-root program like 'su' or 'sudo' – it can never gain any privileges that aren't in its bounding set.
But you can (and perhaps should) set both if you're sure your service won't be directly running anything that needs higher privileges.