[systemd-devel] [ANNOUNCE] systemd v39

Lennart Poettering lennart at poettering.net
Wed Jan 25 06:57:35 PST 2012 

On Wed, 25.01.12 11:11, Jan Engelhardt (jengelh at medozas.de) wrote:

> >[v39]
> >* If a group "adm" exists, journal files are automatically
> >  owned by them
> 
> This sounds like it has the potential that journal files suddenly
> beomce writable by a random user group that has existed previously.

They are only readable to "adm", not writable.

And "adm" has been defined as "the group which (among other things
possibly) is allowed to read log files" on Debian and a number of other
Linux distributions.

I think this is quite safe to do, and are very useful semantics that
make sense to adopt across all Linux distributions.

If a distro believes this a huge security thread, they are welcome to
maintain a patch to our sources in their rpms to use a different group.

> >[v38]
> >* Output of SysV services is now forwarded to both the console
> >  and the journal by default, not only just the console.
> 
> I would actually prefer if it wrote that to the current tty that
> invoked the start action, rather than the console which is stowed
> away in a deep cellar...

We explicitly want to avoid that services are entirely isolated from the
user session they are started from. Running a service with the tty of
the user running the command would be the absolute opposite of
"isolated".

In fact, this kind of isolation is one of the big features of systemd.

> >* Processes with '@' in argv[0][0] are now excluded from the
> >  final shut-down killing spree
> 
> Did you consider
> http://lists.freedesktop.org/archives/systemd-devel/2012-January/004221.html ?

Hmm? what pecisely? I though I already made clear that there's a
difference between asking "did this process originate from the initrd?"
and "shall this process be killed during the final killing
spree?". While there's a big voerlap, and only processes which qualify
for the former shall answer "yes" to the latter they aren't the same
thing.

Or, in other words: I really want people to think about this whole
problem before they exclude themselves from the killing spree.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

More information about the systemd-devel mailing list