[systemd-devel] Errors in log for "systemctl status" as non-root user
lennart at poettering.net
Wed Mar 16 18:07:12 PDT 2011
On Tue, 08.03.11 21:46, Andrey Borzenkov (arvidjaar at gmail.com) wrote:
> > systemd tries to minimize what it loads and also automatically unloads
> > information about unused services. This means that it is very likely
> > that information is not loaded when the user tries to "systemctl status"
> > it. However I do believe that it makes sense that this call succeeds
> > even then, to show meta information that might be relevant even if the
> > services is not active in any way: the description string of a service
> > for example, or the file in the file system a service definition was
> > loaded from.
> > It would be nice if D-Bus would allow "nowarn" policy rules, but
> > unfortunately it currently doesn't.
> May be, non-root should be allowed to LoadUnit unit then? What exact
> security implications would it have? Systemd only loads units from
> trusted paths anyway?
Well, LoadUnit= might trigger that quite a number of units are pulled in
via dependencies, and they might hook themselves into various
things. And I was a bit afraid of the implications of
that. i.e. unprivileged user does something and suddenly things behave
But mayb this is not actually a problem, given that LoadUnit will never
start a unit, and there's no way how just loading a unit will cause it
to be added to the trigger list of something.
I'll relax the default policy on LoadUnit.
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel