System Capability Settings

Interface System Capability Setting

For details about how to set system capabilities on the WebUI, see Security Policy.

Capabilities

When the nobody user with low permissions runs Nginx, the Nginx capability must be configured to bind port 443. In addition, when the HwHiAiUser user with low permissions runs the discovery process, the discovery capability must be configured because the original socket is required to send multicast packets. For details, see Table 1.

**Table 1** Capability configuration description
Capability	Description	Reason for Use
cap_net_bind_service	Allows Nginx to be bound to a port whose ID is smaller than 1024.	Nginx needs to use port 443. Therefore, you need to configure the capability of binding port 443.
cap_net_raw=+ep	Allows the discovery process to use raw sockets.	The discovery process needs to use raw sockets to send and receive multicast packets.

Parent topic: Security Configuration and Hardening