[systemd-bugs] [Bug 89875] New: Instance variable %i not available for (Inaccessible|Read(Only|Write)Directories)

Thu Apr 2 08:02:36 PDT 2015

https://bugs.freedesktop.org/show_bug.cgi?id=89875

            Bug ID: 89875
           Summary: Instance variable %i not available for
                    (Inaccessible|Read(Only|Write)Directories)
           Product: systemd
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: medium
         Component: general
          Assignee: systemd-bugs at lists.freedesktop.org
          Reporter: berni at birkenwald.de
        QA Contact: systemd-bugs at lists.freedesktop.org

We're trying to run multiple DHCP processes on one system. They have
their data in a instance-specific configuration directory and we'd like
to limit (r/w for now) filesystem access to that directory for security
reasons.

==> dhcpd at .service <==
[Unit]
Description=DHCP Instance %i
After=syslog.target
After=network.target

[Service]
ExecStart=/usr/sbin/dhcpd -cf /var/lib/dhcp/%i/etc/dhcpd.conf -lf
/var/lib/dhcp/%i/db/dhcpd.leases -pf /var/lib/dhcp/%i/dhcpd.pid -f
Type=simple
Restart=on-failure
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ReadOnlyDirectories=/
ReadWriteDirectories=/var/lib/dhcp/%i

This does not work

Apr 02 11:02:38 dns-w-neu systemd[1]: Started DHCP Instance b1peer2.
Apr 02 11:02:38 dns-w-neu systemd[1]: Starting DHCP Instance b1peer2...
Apr 02 11:02:38 dns-w-neu systemd[7760]: Failed at step NAMESPACE
spawning /usr/sbin/dhcpd: No such file or directory
Apr 02 11:02:38 dns-w-neu systemd[1]: dhcpd at b1peer2.service: main
process exited, code=exited, status=226/NAMESPACE
Apr 02 11:02:38 dns-w-neu systemd[1]: Unit dhcpd at b1peer2.service entered
failed state.
Apr 02 11:02:38 dns-w-neu systemd[1]: dhcpd at b1peer2.service failed.
Apr 02 11:02:38 dns-w-neu systemd[1]: dhcpd at b1peer2.service holdoff time
over, scheduling restart.

The directory exists

root at dns-w-neu:/var/lib/dhcp# ls -lad b1peer2
drwxr-xr-x 4 root root 4096 Apr  1 16:40 b1peer2

it works fine with either

ReadWriteDirectories=/var/lib/dhcp

and 

ReadWriteDirectories=/var/lib/dhcp/b1peer2

(which obviously won't work with other instances, but that's not  the
point here).

So it seems that %i is not evaluated in ReadWriteDirectories (at least).

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20150402/6a3b850d/attachment-0001.html>