I’d like to run a service as a non-privileged user, but it needs to bind to a system port number (i.e. less than 1024), so I give it
setcap 'cap_net_bind_service=+ep' <path for service>, all good.
Problem is, on startup, the service reads environment vars and for some reason it can’t do that when it has
cap_net_bind_service. So, with two copies of the executable, one with
cap_net_bind_service, one without, only the one without can read environment vars.
It’s as though there’s a default set of capabilities that allows reading env vars, but the exe loses that capability when I give it
cap_net_bind_service. Is that right, or is something else going on? What additional capability might I need to give to the service so that it can read env vars? There’s nothing in capability.h that jumps out as being “allow env var reading”?