Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why is AmbientCapabilities=CAP_SYS_ADMIN required? #118

Open
septatrix opened this issue Feb 7, 2025 · 5 comments
Open

Why is AmbientCapabilities=CAP_SYS_ADMIN required? #118

septatrix opened this issue Feb 7, 2025 · 5 comments

Comments

@septatrix
Copy link

This pretty much gives quarkus superuser privileges and is unacceptable for services reachable via the network
@Eng-Fouad
Copy link
Member

This pretty much gives quarkus superuser privileges and is unacceptable for services reachable via the network

An alternative is to use:

NotifyAccess=all

Otherwise, the app which is run by non-root user cannot send notificaton to systemd.

@gsmet
Copy link
Member

gsmet commented Feb 9, 2025

I'm not very familiar with systemd but the alternative you mention looks less scary?

@septatrix
Copy link
Author

I'm not very familiar with systemd but the alternative you mention looks less scary?

Yes, using NotifyAccess is way better

@gsmet
Copy link
Member

gsmet commented Feb 10, 2025

Maybe you can create a small PR if you checked all is fine with this setup?

@septatrix
Copy link
Author

Looking at the man page I think it might be necessary to add the --block switch to the subprocess as otherwise the process may exit before systemd had a chance to check to which service it belongs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Eng-Fouad @gsmet @septatrix