Correct debian systemd service file to grant capabilities

AmbientCapablilites grants capabilities
CapablilityBoudingSet limits, but does not grant

diff --git a/debian/freeradius.service b/debian/freeradius.service
index d62b4f8985403e14b61036ab73755e9e5365c21a..8886fc894bbbae2186e9344eea38ad13032d69f8 100644 (file)
--- a/debian/freeradius.service
+++ b/debian/freeradius.service
@@ -47,7 +47,13 @@ RestartSec=5
 NoNewPrivileges=true
 
 # Allow binding to secure ports, broadcast addresses, and raw interfaces.
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
+#
+# As the process starts as an unprivileged user, we need to assign all capabilities that
+# the process may need.
+#
+# If FreeRADIUS needs to be run as root, AmbientCapabilities should be swapped from
+# CapabilityBoundingSet to limit the capabilities the process is given.
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
 
 # Private /tmp that isn't shared by other processes
 PrivateTmp=true