Granting a capability to a service

Andrew Lutomirski luto at
Wed Jul 22 20:28:19 UTC 2015

On Wed, Jul 22, 2015 at 1:25 PM, Lennart Poettering
<mzerqung at> wrote:
> On Mon, 20.07.15 13:20, Florian Weimer (fweimer at wrote:
>> (d) Change the Go program to optionally drop capabilities and switch the
>> user.  Do not use fscaps, and keep running it as full root initially.
>> This is the cleanest approach and what other services use, but I don't
>> think Go currently supports switching credentials in all threads in the
>> process.
> Note that caps are weird on Linux. AFAIR they actually apply to
> all kinds of tasks, including threads, not just processes. IIRC Go
> does not give you control when exactly it creates threads, no? This
> makes it difficult to drops caps sanely if you want to ensure they are
> dropped in all threads at the same time, and not just in whatever
> thread was the one started first...

The alternative would be worse.  For example, the effective mask would
be nonsense if were shared between threads.


More information about the devel mailing list