mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-25 19:10:10 +00:00
ce1cb952e8
It's tricky. On Redhat platforms, we need the CAP_DAC_READ_SEARCH capability. Unfortunately this is one of the nicest capabilities to have. For now add it to ambient set so that PAM can work on redhat platforms. Mitigate this risk by safeguarding the license handling code, which is the only known place that can read a file and send it to somewhere. If we could drop the capability from effective set and add it back in when needed, that would be nice, but that appears not to be possible. Short of that, having a separate authentication process running and dropping privilege would potentially work.
28 lines
643 B
Desktop File
28 lines
643 B
Desktop File
# IBM(c) 2015 Apache 2.0
|
|
# Lenovo(c) 2020 Apache 2.0
|
|
[Unit]
|
|
Description=Confluent hardware manager
|
|
|
|
[Service]
|
|
Type=forking
|
|
#PIDFile=/var/run/confluent/pid
|
|
RuntimeDirectory=confluent
|
|
StateDirectory=confluent
|
|
CacheDirectory=confluent
|
|
LogsDirectory=confluent
|
|
ConfigurationDirectory=confluent
|
|
ExecStart=/opt/confluent/bin/confluent
|
|
ExecStop=/opt/confluent/bin/confetty shutdown /
|
|
Restart=on-failure
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID CAP_DAC_READ_SEARCH CAP_CHOWN
|
|
User=confluent
|
|
Group=confluent
|
|
DevicePolicy=closed
|
|
PrivateDevices=true
|
|
ProtectControlGroups=true
|
|
ProtectSystem=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|