[systemd-devel] [PATCH] unit: add specifiers for user name and home directory

Lennart Poettering lennart at poettering.net
Sat Dec 17 07:17:18 PST 2011


On Fri, 16.12.11 23:11, Ran Benita (ran234 at gmail.com) wrote:

> > > > And please pass uid and gid as NULL, get_user_creds() can deal with
> > > > that.
> > > > 
> > > > > +        return strdup(home);
> > > > 
> > > > Otherwise looks fine. Thanks!
> > > 
> > > May I also ask why specifier expansion is not allowed in Exec= lines? I
> > > think it's useful, and it works fine when I patch it. Is it problematic
> > > in any way?
> > 
> > Hmm, it is allowed. In getty at .service for example, we have this:
> > 
> > ExecStart=-/sbin/agetty %I 38400
> > 
> > and it works fine?
> 
> Hmm, yes that works. I see service_spawn() expands the command
> arguments, but not the path, which is what I tried. I previously
> looked at config_parse_exec() in load-fragment.c.
> So my question becomes, why not expand the path? (It seems intentional).

Yupp, it is intentional. This has to do with SELinux semantics. We need
to label sockets services are supposed to get passed according to the
service label (i.e. the label of the process binary). Since we create
the sockets before actually starting the services we need to be able to
determine the binary path of all future services at the time we
initialize the sockets. But that is very hard if the process binary is
determined dynamically at initialization time of the service. Hence we
disallow dynamic service binary paths, since I didn't want to to allow
different configuration options on SELinux and non-SELinux systems, in
order to ensure that unit files people write are compatible with all
setups. Does that make some sense?

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the systemd-devel mailing list