[systemd-devel] Newbie systemd-related question - how to run a service w/o anything but network?

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Thu Jul 26 06:55:42 PDT 2012


On 07/26/2012 12:09 PM, Peter Lemenkov wrote:
> Hello All.
> I'm trying to write a systemd service for epmd (Erlang Port Mapper
> Daemon, if someone is curious). its only purpose is to open a TCP port
> 4369 at 0.0.0.0 and act as a simple messaging (very simple actually)
> bus between erlang nodes. I'd like to run it w/o anything and under a
> most restricted system account. So far I'm using this service:
> 
> ================
> [Unit]
> Description=Erlang Port Mapper Daemon
> After=network.target
> 
> [Service]
> User=nobody
> Group=nobody
> Type=simple
> PrivateTmp=true
> NoNewPrivileges=true
> ExecStart=/usr/bin/epmd
> ExecSop=/usr/bin/epmd -kill
> 
> [Install]
> WantedBy=multi-user.target
> ================
> 
> Could someone propose me something to restrict it further? it really
> doesn't need fs access, no exec, no /dev/* access, etc - just open
> socket and send/receive messages. Any advise will be very
> appreciated).
Hi,

1. change nobody to a custom user. Nobody is used by nfs for unmappable
users, and thus should not be used for unprivileged daemons.

2. Type=simple is default, can be dropped.

3. Add RootDirectory=/var/empty

4. If you convert it to socket activation, then it won't even need the
privilege to open sockets.

4. Add SystemCallFilter=recv,recvmsg,sendmsg,... (whatever is necessary).

HTH,
Zbyszek


More information about the systemd-devel mailing list