I am working on an embedded system device which basically has root user.
I have a systemd service call.service which works fine with root access.
The service basically creates a few sockets and then interacts with the network device.
I want to launch this service with user UserA, and capabilities like net_raw and net_admin.
I have written the following unit file:
file: /etc/systemd/system/multi-user.target.wants/call.service
[Unit]
Description=XXX call service
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=userA
Group=userA
ExecStart=/opt/call/bin/call eth0 -P -1
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
ExecStartPre=/bin/mkdir -p /tmp/call
ExecStartPre=/bin/chmod -R 755 /tmp/call
ExecStopPost=/bin/rm -rf /tmp/call
[Install]
WantedBy=multi-user.target
However, when I launch this service, the service fails with an error stating that during socket creation "Operation Not Permitted".
$ systemctl restart call
Dec 01 17:56:10 xxxx call[26955]: ERROR : CALL [17:56:10:682] socket creation failed: Operation not permitted
Corresponding src file for the error:
//file call.cpp
net_iface_l->sd_general = socket( PF_PACKET, SOCK_DGRAM, 0 );
if( net_iface_l->sd_general == -1 ) {
LOG_ERROR( "socket creation failed: %s", strerror(errno));
return false;
}
Can someone point out, if there is a mistake in the user creation or capabilities defined? May be something is missing in terms of the user permissions here, which I am unable to understand.
AmbientCapabilities