hasakl tech tip

need to do some dev stuff that needs capabilities like binding to a privileged port, or managing wireguard interfaces, without using sudo (because you don't trust your program not to fuck up root access. also it's security)?

systemd-run can do it (systemd-run can do literally anything. you'd be surprised)

systemd-run --pty -S -pAmbientCapabilities=CAP_NET_ADMIN -pUser=$USER -pGroup=$USER

systemd-run creates an ephemeral unit
--pty hooks it up to the current terminal
-S starts a shell as the process
-p sets a property
AmbientCapabilities=CAP_NET_ADMIN gives the unit the CAP_NET_ADMIN capability. you may also be interested in stuff like CAP_NET_BIND_SERVICE and CAP_NET_RAW
User=$USER and Group=$USER runs it under your actual user instead of as root