[Nix-dev] nixos service using privileged ports as a non-root user

Ganesh Sittampalam ganesh at earth.li
Fri Jun 5 23:39:22 CEST 2015


Hi,

Thanks for the replies.

On 05/06/2015 11:53, Eelco Dolstra wrote:
> Hi,
> 
> On 05/06/15 00:37, Oliver Charles wrote:
> 
>> I believe the User option in systemd unit configuration should do this. 
> 
> I think you'll also need:
> 
>   systemd.services.my-unit.serviceConfig.CapabilityBoundingSet =
> "CAP_NET_BIND_SERVICE";

Would you mind expanding on how this would work?

I've had a bit of a play and it seems the two options are to set
User=root and have the CapabilityBoundingSet cut down the privileges, or
set User=darcsden but then I need a binary that I've run setcap on
somehow, because the binary's capabilities are an upper bound. Am I
missing something?

> Alternatively, socket activation combined with the User setting should work.

Yeah, that does sound like the nicest solution, I'll look at changing
the code to support that.

Cheers,

Ganesh


More information about the nix-dev mailing list